Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-4104 (GCVE-0-2021-4104)
Vulnerability from cvelistv5
- CWE-502 - Deserialization of Untrusted Data
Vendor | Product | Version | ||
---|---|---|---|---|
Apache Software Foundation | Apache Log4j 1.x |
Version: Apache Log4j 1.2 1.2.x |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T17:16:04.172Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "tags": [ "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "tags": [ "third-party-advisory", "x_transferred" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_transferred" ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202312-04" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Log4j 1.x", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache Log4j 1.2 1.2.x" } ] } ], "descriptions": [ { "lang": "en", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-22T09:06:15.357899", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "tags": [ "third-party-advisory" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202312-04" } ], "source": { "discovery": "UNKNOWN" }, "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-4104", "datePublished": "2021-12-14T00:00:00", "dateReserved": "2021-12-13T00:00:00", "dateUpdated": "2024-08-03T17:16:04.172Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-4104\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-12-14T12:15:12.200\",\"lastModified\":\"2024-11-21T06:36:54.560\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\"},{\"lang\":\"es\",\"value\":\"JMSAppender en Log4j versi\u00f3n 1.2 es vulnerable a una deserializaci\u00f3n de datos no confiables cuando el atacante presenta acceso de escritura a la configuraci\u00f3n de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecuci\u00f3n de c\u00f3digo remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema s\u00f3lo afecta a Log4j versi\u00f3n 1.2 cuando es configurado espec\u00edficamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versi\u00f3n 1.2 lleg\u00f3 al final de su vida \u00fatil en agosto de 2015. Los usuarios deber\u00edan actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2954BDA9-F03D-44AC-A9EA-3E89036EEFA8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1BAF877F-B8D5-4313-AC5C-26BB82006B30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B87C8AD3-8878-4546-86C2-BF411876648C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F039C746-2001-4EE5-835F-49607A94F12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C4404A-CFB7-4B47-9487-F998825C31CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A58966CB-36AF-4E64-AB39-BE3A0753E155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C7257E5-B4A7-4299-8FE1-A94121E47528\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD354E32-A8B0-484C-B4C6-9FBCD3430D2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B142ACCC-F7A9-4A3B-BE60-0D6691D5058D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"88BF3B2C-B121-483A-AEF2-8082F6DA5310\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A305F012-544E-4245-9D69-1C8CD37748B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B40CCE4F-EA2C-453D-BB76-6388767E5C6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B78438D-1321-4BF4-AEB1-DAF60D589530\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C077D692-150C-4AE9-8C0B-7A3EA5EB1100\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54EB07A0-FB38-4F17-9C8D-DB629967F07B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A33441B3-B301-426C-A976-08CE5FE72EFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B62E762-2878-455A-93C9-A5DB430D7BB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"14CF53D2-B585-4EA5-8F18-21BC9ECBB4B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91B493F0-5542-49F7-AAAE-E6CA6E468D7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20A6B40D-F991-4712-8E30-5FE008505CB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"749804DA-4B27-492A-9ABA-6BB562A6B3AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0331158C-BBE0-42DB-8180-EB1FCD290567\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"B602F9E8-1580-436C-A26D-6E6F8121A583\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"77C3DD16-1D81-40E1-B312-50FBD275507C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"81DAC8C0-D342-44B5-9432-6B88D389584F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E869C417-C0E6-4FC3-B406-45598A1D1906\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1214FDF-357A-4BB9-BADE-50FB2BD16D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B21E6EEF-2AB7-4E96-B092-1F49D11B4175\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.0.0.4.0\",\"matchCriteriaId\":\"28CDCE04-B074-4D7A-B6E4-48193458C9A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5933FEA2-B79E-4EE7-B821-54D676B45734\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17A91FD9-9F77-42D3-A4D9-48BC7568ADE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7637F8B-15F1-42E2-BE18-E1FF7C66587D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E43D793A-7756-4D58-A8ED-72DC4EC9CEA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6ED0EE39-C080-4E75-AE0F-3859B57EF851\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E8758C8-87D3-450A-878B-86CE8C9FC140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"054B56E0-F11B-4939-B7E1-E722C67A041A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"250A493C-E052-4978-ABBE-786DC8038448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E2B771B-230A-4811-94D7-065C2722E428\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F17531CB-DE8A-4ACD-93A0-6A5A8481D51B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"507E7AEE-C2FC-4EED-B0F7-5E41642C0BF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66C673C4-A825-46C0-816B-103E1C058D03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"E8E7FBA9-0FFF-4C86-B151-28C17A142E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"55BBCD48-BCC6-4E19-A4CE-970E524B9FF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1489DDA7-EDBE-404C-B48D-F0B52B741708\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"535BC19C-21A1-48E3-8CC0-B276BA5D494E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.0.29\",\"matchCriteriaId\":\"B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51E83F05-B691-4450-BCA9-32209AEC4F6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"288235F9-2F9E-469A-BE14-9089D0782875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6672F9C1-DA04-47F1-B699-C171511ACE38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11E57939-A543-44F7-942A-88690E39EABA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30501D23-5044-477A-8DC3-7610126AEFD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B45A731-11D1-433B-B202-9C8D67C609F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"900D9DBF-8071-4CE5-A67A-9E0C00D04B87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB7D0A30-3986-49AB-B7F3-DAE0024504BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3ED272C-A545-4F8C-86C0-2736B3F2DCAF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5B4C338-11E1-4235-9D5A-960B2711AC39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C93F84E-9680-44EF-8656-D27440B51698\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F14A818F-AA16-4438-A3E4-E64C9287AC66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BCDC24-4A21-473C-8733-0D9CFB38A752\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/18/3\",\"source\":\"security@apache.org\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2021-4104\",\"source\":\"security@apache.org\"},{\"url\":\"https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126\",\"source\":\"security@apache.org\"},{\"url\":\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202209-02\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202310-16\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202312-02\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202312-04\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20211223-0007/\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2021-44228\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.kb.cert.org/vuls/id/930724\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/18/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2021-4104\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202209-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202310-16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202312-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202312-04\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20211223-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2021-44228\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.kb.cert.org/vuls/id/930724\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
rhsa-2022:1297
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0497
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0497", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0497.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update", "tracking": { "current_release_date": "2025-10-10T02:14:55+00:00", "generator": { "date": "2025-10-10T02:14:55+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0497", "initial_release_date": "2022-02-09T13:11:07+00:00", "revision_history": [ { "date": "2022-02-09T13:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-09T13:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-10T02:14:55+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0447
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0447", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0447.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0447", "initial_release_date": "2022-02-07T13:55:22+00:00", "revision_history": [ { "date": "2022-02-07T13:55:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:55:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0294
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0294", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0294.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-26T02:51:07+00:00", "generator": { "date": "2024-11-26T02:51:07+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0294", "initial_release_date": "2022-01-26T14:48:57+00:00", "revision_history": [ { "date": "2022-01-26T14:48:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:48:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:07+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8010020220124232535:d5701770", "product": { "name": "parfait:0.5:8010020220124232535:d5701770", "product_id": "parfait:0.5:8010020220124232535:d5701770", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, "product_reference": "parfait:0.5:8010020220124232535:d5701770", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5148
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5148", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5148.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 extras security update", "tracking": { "current_release_date": "2025-01-06T21:40:29+00:00", "generator": { "date": "2025-01-06T21:40:29+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.5" } }, "id": "RHSA-2021:5148", "initial_release_date": "2021-12-15T20:09:32+00:00", "revision_history": [ { "date": "2021-12-15T20:09:32+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T16:08:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-01-06T21:40:29+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_id": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
RHSA-2022:0661
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0661", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0661.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0661", "initial_release_date": "2022-02-23T14:06:23+00:00", "revision_history": [ { "date": "2022-02-23T14:06:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-23T14:06:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.10.1", "product": { "name": "Red Hat Fuse 7.10.1", "product_id": "Red Hat Fuse 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0553
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0553", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0553", "initial_release_date": "2022-02-15T18:54:23+00:00", "revision_history": [ { "date": "2022-02-15T18:54:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-15T18:54:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse/AMQ 6.3.20", "product": { "name": "Red Hat Fuse/AMQ 6.3.20", "product_id": "Red Hat Fuse/AMQ 6.3.20", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:6.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:1296
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:23+00:00", "generator": { "date": "2025-10-09T21:42:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0437
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0437", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0437.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-26T02:51:47+00:00", "generator": { "date": "2024-11-26T02:51:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0437", "initial_release_date": "2022-02-03T18:43:46+00:00", "revision_history": [ { "date": "2022-02-03T18:43:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:43:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4 log4j async", "product": { "name": "EAP 6.4 log4j async", "product_id": "EAP 6.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0435
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0435", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0435.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0435", "initial_release_date": "2022-02-03T18:23:56+00:00", "revision_history": [ { "date": "2022-02-03T18:23:56+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:23:56+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0436
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0436", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0436.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-26T02:51:32+00:00", "generator": { "date": "2024-11-26T02:51:32+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0436", "initial_release_date": "2022-02-03T18:30:42+00:00", "revision_history": [ { "date": "2022-02-03T18:30:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:30:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:32+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0449
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0449", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2054", "url": "https://issues.redhat.com/browse/CIAM-2054" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0449.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update", "tracking": { "current_release_date": "2024-11-26T02:51:47+00:00", "generator": { "date": "2024-11-26T02:51:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0449", "initial_release_date": "2022-02-07T13:48:02+00:00", "revision_history": [ { "date": "2022-02-07T13:48:02+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:48:02+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHSSO 7.5.1", "product": { "name": "RHSSO 7.5.1", "product_id": "RHSSO 7.5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "acknowledgments": [ { "names": [ "Christian D\u00f6lling" ] } ], "cve": "CVE-2022-1466", "cwe": { "id": "CWE-1220", "name": "Insufficient Granularity of Access Control" }, "discovery_date": "2022-02-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2050228" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Improper authorization for master realm", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1466" }, { "category": "external", "summary": "RHBZ#2050228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1466", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1466" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Improper authorization for master realm" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0553
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0553", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update", "tracking": { "current_release_date": "2024-11-26T02:52:34+00:00", "generator": { "date": "2024-11-26T02:52:34+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0553", "initial_release_date": "2022-02-15T18:54:23+00:00", "revision_history": [ { "date": "2022-02-15T18:54:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-15T18:54:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:34+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse/AMQ 6.3.20", "product": { "name": "Red Hat Fuse/AMQ 6.3.20", "product_id": "Red Hat Fuse/AMQ 6.3.20", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:6.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0475
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the manager for virtualization environments.\nThis manager enables admins to define hosts and networks, as well as to add\nstorage, create VMs and manage user permissions.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nBug Fix(es):\n\n* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation. \n\nWhen upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.\n\nAfter a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)\n\n* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)\n\n* Because installing the self-hosted engine with Cockpit is deprecated, the \u0027Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface\u0027 link\non the Red Hat Virtualization Administration Portal login page has been replaced with the \"Installing Red Hat Virtualization as a self-hosted engine using the command line\" link. (BZ#1992476)\n\n* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0475", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1992476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992476" }, { "category": "external", "summary": "2013430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013430" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044257" }, { "category": "external", "summary": "2044277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0475.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0475", "initial_release_date": "2022-02-08T17:00:26+00:00", "revision_history": [ { "date": "2022-02-08T17:00:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T17:00:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j-javadoc@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.10.6-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5206
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5206", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5206.json" } ], "title": "Red Hat Security Advisory: log4j security update", "tracking": { "current_release_date": "2024-11-26T02:51:33+00:00", "generator": { "date": "2024-11-26T02:51:33+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5206", "initial_release_date": "2021-12-20T09:54:00+00:00", "revision_history": [ { "date": "2021-12-20T09:54:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-20T09:54:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:33+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.src", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.src", "product_id": "log4j-0:1.2.14-6.5.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.src", "product": { "name": "log4j-0:1.2.17-16.el7_3.src", "product_id": "log4j-0:1.2.17-16.el7_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.src", "product": { "name": "log4j-0:1.2.17-17.el7_4.src", "product_id": "log4j-0:1.2.17-17.el7_4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-17.el7_4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-20T09:54:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
RHSA-2022:0527
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0527", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0527.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0527", "initial_release_date": "2022-02-14T17:30:24+00:00", "revision_history": [ { "date": "2022-02-14T17:30:24+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:30:24+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1", "product": { "name": "Red Hat JBoss Web Server 3.1", "product_id": "Red Hat JBoss Web Server 3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5186
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5186", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5186.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5186", "initial_release_date": "2021-12-16T22:34:47+00:00", "revision_history": [ { "date": "2021-12-16T22:34:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T22:34:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_id": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.6.0-202112160147.p0.gf139e12.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112161349.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022:0447
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0447", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0447.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0447", "initial_release_date": "2022-02-07T13:55:22+00:00", "revision_history": [ { "date": "2022-02-07T13:55:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:55:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0438
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0438", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0438.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0438", "initial_release_date": "2022-02-03T18:51:47+00:00", "revision_history": [ { "date": "2022-02-03T18:51:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:51:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0527
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0527", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0527.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update", "tracking": { "current_release_date": "2024-11-26T02:52:27+00:00", "generator": { "date": "2024-11-26T02:52:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0527", "initial_release_date": "2022-02-14T17:30:24+00:00", "revision_history": [ { "date": "2022-02-14T17:30:24+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:30:24+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1", "product": { "name": "Red Hat JBoss Web Server 3.1", "product_id": "Red Hat JBoss Web Server 3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0435
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0435", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0435.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-26T02:51:54+00:00", "generator": { "date": "2024-11-26T02:51:54+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0435", "initial_release_date": "2022-02-03T18:23:56+00:00", "revision_history": [ { "date": "2022-02-03T18:23:56+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:23:56+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:54+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0294
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0294", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0294.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0294", "initial_release_date": "2022-01-26T14:48:57+00:00", "revision_history": [ { "date": "2022-01-26T14:48:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:48:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0553
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0553", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0553", "initial_release_date": "2022-02-15T18:54:23+00:00", "revision_history": [ { "date": "2022-02-15T18:54:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-15T18:54:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse/AMQ 6.3.20", "product": { "name": "Red Hat Fuse/AMQ 6.3.20", "product_id": "Red Hat Fuse/AMQ 6.3.20", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:6.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:1297
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0291
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0291", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0291.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-26T02:51:16+00:00", "generator": { "date": "2024-11-26T02:51:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0291", "initial_release_date": "2022-01-26T14:54:58+00:00", "revision_history": [ { "date": "2022-01-26T14:54:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:54:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_id": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, "product_reference": "parfait:0.5:8020020220124231008:1c5d4e8a", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2021:5148
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5148", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5148.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 extras security update", "tracking": { "current_release_date": "2025-10-22T11:00:16+00:00", "generator": { "date": "2025-10-22T11:00:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5148", "initial_release_date": "2021-12-15T20:09:32+00:00", "revision_history": [ { "date": "2021-12-15T20:09:32+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T16:08:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_id": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022:0527
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0527", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0527.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0527", "initial_release_date": "2022-02-14T17:30:24+00:00", "revision_history": [ { "date": "2022-02-14T17:30:24+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:30:24+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1", "product": { "name": "Red Hat JBoss Web Server 3.1", "product_id": "Red Hat JBoss Web Server 3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0475
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the manager for virtualization environments.\nThis manager enables admins to define hosts and networks, as well as to add\nstorage, create VMs and manage user permissions.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nBug Fix(es):\n\n* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation. \n\nWhen upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.\n\nAfter a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)\n\n* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)\n\n* Because installing the self-hosted engine with Cockpit is deprecated, the \u0027Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface\u0027 link\non the Red Hat Virtualization Administration Portal login page has been replaced with the \"Installing Red Hat Virtualization as a self-hosted engine using the command line\" link. (BZ#1992476)\n\n* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0475", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1992476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992476" }, { "category": "external", "summary": "2013430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013430" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044257" }, { "category": "external", "summary": "2044277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0475.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]", "tracking": { "current_release_date": "2024-11-26T02:52:17+00:00", "generator": { "date": "2024-11-26T02:52:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0475", "initial_release_date": "2022-02-08T17:00:26+00:00", "revision_history": [ { "date": "2022-02-08T17:00:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T17:00:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j-javadoc@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.10.6-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0524
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0524", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0524.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0524", "initial_release_date": "2022-02-14T17:10:12+00:00", "revision_history": [ { "date": "2022-02-14T17:10:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:10:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product": { "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } }, { "category": "product_version", "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5183
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5183", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5183.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 security update", "tracking": { "current_release_date": "2024-11-26T02:51:19+00:00", "generator": { "date": "2024-11-26T02:51:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5183", "initial_release_date": "2021-12-16T21:14:49+00:00", "revision_history": [ { "date": "2021-12-16T21:14:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:14:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_id": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.8.0-202112160147.p0.g5672016.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112161229.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112161229.p0.g0d7ecfb.assembly.art3599-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
RHSA-2024:5856
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)\n\n* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)\n\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)\n\n* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)\n\n* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)\n\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)\n\n* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)\n\n* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:5856", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index" }, { "category": "external", "summary": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-24826", "url": "https://issues.redhat.com/browse/JBEAP-24826" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update", "tracking": { "current_release_date": "2025-10-09T20:17:01+00:00", "generator": { "date": "2025-10-09T20:17:01+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2024:5856", "initial_release_date": "2024-08-26T11:05:47+00:00", "revision_history": [ { "date": "2024-08-26T11:05:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-08-26T11:05:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:17:01+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty-all@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9511", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1741860" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: large amount of data requests leads to denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9511" }, { "category": "external", "summary": "RHBZ#1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9511", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://kb.cert.org/vuls/id/605641/", "url": "https://kb.cert.org/vuls/id/605641/" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "url": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" } ], "release_date": "2019-08-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i \u0027s/http2 //g\u0027 /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: large amount of data requests leads to denial of service" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9512", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735645" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using PING frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9512" }, { "category": "external", "summary": "RHBZ#1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using PING frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9514", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735744" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9514" }, { "category": "external", "summary": "RHBZ#1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9515", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735745" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9515" }, { "category": "external", "summary": "RHBZ#1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth" }, { "cve": "CVE-2019-10086", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-10-31T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1767483" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10086" }, { "category": "external", "summary": "RHBZ#1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt", "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt" } ], "release_date": "2019-08-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no currently known mitigation for this flaw.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default" }, { "cve": "CVE-2019-10174", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2018-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1703469" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "title": "Vulnerability description" }, { "category": "summary", "text": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10174" }, { "category": "external", "summary": "RHBZ#1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10174", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10174" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174" } ], "release_date": "2019-11-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods" }, { "cve": "CVE-2019-12384", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-06-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1725807" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack\u0027s OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application\u0027s ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-12384" }, { "category": "external", "summary": "RHBZ#1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12384", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" } ], "release_date": "2019-06-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution" }, { "cve": "CVE-2019-14379", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-07-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1737517" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: default typing mishandling leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nSimilarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14379" }, { "category": "external", "summary": "RHBZ#1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14379", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" } ], "release_date": "2019-07-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: default typing mishandling leading to remote code execution" }, { "cve": "CVE-2019-14843", "cwe": { "id": "CWE-592", "name": "CWE-592" }, "discovery_date": "2019-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752980" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-security-manager: security manager authorization bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14843" }, { "category": "external", "summary": "RHBZ#1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14843" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843" } ], "release_date": "2019-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "This flaw only affects the Security Manager running under JDK 11 or 8. To mitigate exposure to this flaw, do not run under those JDK versions.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "wildfly-security-manager: security manager authorization bypass" }, { "acknowledgments": [ { "names": [ "Henning Baldersheim", "H\u00e5vard Pettersen" ], "organization": "Verizon Media" } ], "cve": "CVE-2019-14888", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1772464" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the Undertow HTTP server listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14888" }, { "category": "external", "summary": "RHBZ#1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14888", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14888" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888" } ], "release_date": "2020-01-20T12:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Enable HTTP2 (enable-http2=\"true\") in the undertow\u0027s HTTPS settings.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS" }, { "cve": "CVE-2019-16869", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2019-09-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1758619" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-16869" }, { "category": "external", "summary": "RHBZ#1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869" } ], "release_date": "2019-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers" }, { "cve": "CVE-2019-17531", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-11-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1775293" } ], "notes": [ { "category": "description", "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*", "title": "Vulnerability summary" }, { "category": "other", "text": "Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17531" }, { "category": "external", "summary": "RHBZ#1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17531", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" } ], "release_date": "2019-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*" }, { "cve": "CVE-2019-20444", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798524" } ], "notes": [ { "category": "description", "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20444" }, { "category": "external", "summary": "RHBZ#1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "category": "external", "summary": "https://github.com/elastic/elasticsearch/issues/49396", "url": "https://github.com/elastic/elasticsearch/issues/49396" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling" }, { "cve": "CVE-2019-20445", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798509" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20445" }, { "category": "external", "summary": "RHBZ#1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header" }, { "cve": "CVE-2020-1710", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1793970" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP: field-name is not parsed in accordance to RFC7230", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1710" }, { "category": "external", "summary": "RHBZ#1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1710", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1710" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710" } ], "release_date": "2020-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is currently no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "EAP: field-name is not parsed in accordance to RFC7230" }, { "acknowledgments": [ { "names": [ "Steve Zapantis", "Robert Roberson", "taktakdb4g" ] } ], "cve": "CVE-2020-1745", "cwe": { "id": "CWE-285", "name": "Improper Authorization" }, "discovery_date": "2020-02-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1807305" } ], "notes": [ { "category": "description", "text": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: AJP File Read/Inclusion Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1745" }, { "category": "external", "summary": "RHBZ#1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1745", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1745" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745" }, { "category": "external", "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/", "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/" }, { "category": "external", "summary": "https://www.cnvd.org.cn/webinfo/show/5415", "url": "https://www.cnvd.org.cn/webinfo/show/5415" }, { "category": "external", "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487", "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487" } ], "release_date": "2020-02-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: AJP File Read/Inclusion Vulnerability" }, { "acknowledgments": [ { "names": [ "Fedorov Oleksii", "Keitaro Yamazaki", "Shiga Ryota" ], "organization": "LINE Corporation" } ], "cve": "CVE-2020-1757", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-09-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752770" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1757" }, { "category": "external", "summary": "RHBZ#1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1757", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1757" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757" } ], "release_date": "2018-12-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting \"alwaysUseFullPath\".", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0289
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0289", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0289.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0289", "initial_release_date": "2022-01-26T14:57:42+00:00", "revision_history": [ { "date": "2022-01-26T14:57:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:57:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2024:5856
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)\n\n* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)\n\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)\n\n* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)\n\n* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)\n\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)\n\n* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)\n\n* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:5856", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index" }, { "category": "external", "summary": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-24826", "url": "https://issues.redhat.com/browse/JBEAP-24826" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update", "tracking": { "current_release_date": "2025-10-09T20:17:01+00:00", "generator": { "date": "2025-10-09T20:17:01+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2024:5856", "initial_release_date": "2024-08-26T11:05:47+00:00", "revision_history": [ { "date": "2024-08-26T11:05:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-08-26T11:05:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:17:01+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty-all@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9511", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1741860" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: large amount of data requests leads to denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9511" }, { "category": "external", "summary": "RHBZ#1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9511", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://kb.cert.org/vuls/id/605641/", "url": "https://kb.cert.org/vuls/id/605641/" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "url": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" } ], "release_date": "2019-08-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i \u0027s/http2 //g\u0027 /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: large amount of data requests leads to denial of service" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9512", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735645" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using PING frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9512" }, { "category": "external", "summary": "RHBZ#1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using PING frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9514", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735744" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9514" }, { "category": "external", "summary": "RHBZ#1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9515", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735745" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9515" }, { "category": "external", "summary": "RHBZ#1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth" }, { "cve": "CVE-2019-10086", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-10-31T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1767483" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10086" }, { "category": "external", "summary": "RHBZ#1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt", "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt" } ], "release_date": "2019-08-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no currently known mitigation for this flaw.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default" }, { "cve": "CVE-2019-10174", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2018-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1703469" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "title": "Vulnerability description" }, { "category": "summary", "text": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10174" }, { "category": "external", "summary": "RHBZ#1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10174", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10174" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174" } ], "release_date": "2019-11-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods" }, { "cve": "CVE-2019-12384", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-06-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1725807" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack\u0027s OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application\u0027s ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-12384" }, { "category": "external", "summary": "RHBZ#1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12384", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" } ], "release_date": "2019-06-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution" }, { "cve": "CVE-2019-14379", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-07-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1737517" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: default typing mishandling leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nSimilarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14379" }, { "category": "external", "summary": "RHBZ#1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14379", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" } ], "release_date": "2019-07-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: default typing mishandling leading to remote code execution" }, { "cve": "CVE-2019-14843", "cwe": { "id": "CWE-592", "name": "CWE-592" }, "discovery_date": "2019-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752980" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-security-manager: security manager authorization bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14843" }, { "category": "external", "summary": "RHBZ#1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14843" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843" } ], "release_date": "2019-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "This flaw only affects the Security Manager running under JDK 11 or 8. To mitigate exposure to this flaw, do not run under those JDK versions.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "wildfly-security-manager: security manager authorization bypass" }, { "acknowledgments": [ { "names": [ "Henning Baldersheim", "H\u00e5vard Pettersen" ], "organization": "Verizon Media" } ], "cve": "CVE-2019-14888", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1772464" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the Undertow HTTP server listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14888" }, { "category": "external", "summary": "RHBZ#1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14888", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14888" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888" } ], "release_date": "2020-01-20T12:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Enable HTTP2 (enable-http2=\"true\") in the undertow\u0027s HTTPS settings.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS" }, { "cve": "CVE-2019-16869", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2019-09-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1758619" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-16869" }, { "category": "external", "summary": "RHBZ#1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869" } ], "release_date": "2019-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers" }, { "cve": "CVE-2019-17531", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-11-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1775293" } ], "notes": [ { "category": "description", "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*", "title": "Vulnerability summary" }, { "category": "other", "text": "Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17531" }, { "category": "external", "summary": "RHBZ#1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17531", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" } ], "release_date": "2019-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*" }, { "cve": "CVE-2019-20444", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798524" } ], "notes": [ { "category": "description", "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20444" }, { "category": "external", "summary": "RHBZ#1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "category": "external", "summary": "https://github.com/elastic/elasticsearch/issues/49396", "url": "https://github.com/elastic/elasticsearch/issues/49396" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling" }, { "cve": "CVE-2019-20445", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798509" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20445" }, { "category": "external", "summary": "RHBZ#1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header" }, { "cve": "CVE-2020-1710", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1793970" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP: field-name is not parsed in accordance to RFC7230", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1710" }, { "category": "external", "summary": "RHBZ#1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1710", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1710" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710" } ], "release_date": "2020-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is currently no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "EAP: field-name is not parsed in accordance to RFC7230" }, { "acknowledgments": [ { "names": [ "Steve Zapantis", "Robert Roberson", "taktakdb4g" ] } ], "cve": "CVE-2020-1745", "cwe": { "id": "CWE-285", "name": "Improper Authorization" }, "discovery_date": "2020-02-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1807305" } ], "notes": [ { "category": "description", "text": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: AJP File Read/Inclusion Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1745" }, { "category": "external", "summary": "RHBZ#1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1745", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1745" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745" }, { "category": "external", "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/", "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/" }, { "category": "external", "summary": "https://www.cnvd.org.cn/webinfo/show/5415", "url": "https://www.cnvd.org.cn/webinfo/show/5415" }, { "category": "external", "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487", "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487" } ], "release_date": "2020-02-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: AJP File Read/Inclusion Vulnerability" }, { "acknowledgments": [ { "names": [ "Fedorov Oleksii", "Keitaro Yamazaki", "Shiga Ryota" ], "organization": "LINE Corporation" } ], "cve": "CVE-2020-1757", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-09-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752770" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1757" }, { "category": "external", "summary": "RHBZ#1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1757", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1757" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757" } ], "release_date": "2018-12-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting \"alwaysUseFullPath\".", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5107
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5107", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5107.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2025-10-22T11:00:05+00:00", "generator": { "date": "2025-10-22T11:00:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5107", "initial_release_date": "2021-12-16T15:00:19+00:00", "revision_history": [ { "date": "2021-12-16T15:00:19+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T15:00:19+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_id": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112140553.p0.g091bb99.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_id": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5141
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5141", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5141.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2025-01-06T21:40:36+00:00", "generator": { "date": "2025-01-06T21:40:36+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.5" } }, "id": "RHSA-2021:5141", "initial_release_date": "2021-12-16T07:50:00+00:00", "revision_history": [ { "date": "2021-12-16T07:50:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T07:50:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-01-06T21:40:36+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.6.0-202112150545.p0.gf381145.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112150545.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112150545.p0.gd74112d.assembly.art3595-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_id": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.6.0-202112150545.p0.g190688a.assembly.art3595" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
RHSA-2022:5458
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5458", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5458.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:16+00:00", "generator": { "date": "2025-10-09T20:37:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5458", "initial_release_date": "2022-06-30T18:34:28+00:00", "revision_history": [ { "date": "2022-06-30T18:34:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T18:34:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4.24 release", "product": { "name": "EAP 6.4.24 release", "product_id": "EAP 6.4.24 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5206
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5206", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5206.json" } ], "title": "Red Hat Security Advisory: log4j security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5206", "initial_release_date": "2021-12-20T09:54:00+00:00", "revision_history": [ { "date": "2021-12-20T09:54:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-20T09:54:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.src", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.src", "product_id": "log4j-0:1.2.14-6.5.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.src", "product": { "name": "log4j-0:1.2.17-16.el7_3.src", "product_id": "log4j-0:1.2.17-16.el7_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.src", "product": { "name": "log4j-0:1.2.17-17.el7_4.src", "product_id": "log4j-0:1.2.17-17.el7_4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-17.el7_4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-20T09:54:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022:0435
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0435", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0435.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0435", "initial_release_date": "2022-02-03T18:23:56+00:00", "revision_history": [ { "date": "2022-02-03T18:23:56+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:23:56+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0445
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0445", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2059", "url": "https://issues.redhat.com/browse/CIAM-2059" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0445.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update", "tracking": { "current_release_date": "2024-11-26T02:51:54+00:00", "generator": { "date": "2024-11-26T02:51:54+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0445", "initial_release_date": "2022-02-07T14:22:21+00:00", "revision_history": [ { "date": "2022-02-07T14:22:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:22:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:54+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5141
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5141", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5141.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2025-10-22T11:00:20+00:00", "generator": { "date": "2025-10-22T11:00:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5141", "initial_release_date": "2021-12-16T07:50:00+00:00", "revision_history": [ { "date": "2021-12-16T07:50:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T07:50:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.6.0-202112150545.p0.gf381145.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112150545.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112150545.p0.gd74112d.assembly.art3595-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_id": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.6.0-202112150545.p0.g190688a.assembly.art3595" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_5458
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5458", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5458.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-12-08T11:38:35+00:00", "generator": { "date": "2024-12-08T11:38:35+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:5458", "initial_release_date": "2022-06-30T18:34:28+00:00", "revision_history": [ { "date": "2022-06-30T18:34:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T18:34:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-08T11:38:35+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4.24 release", "product": { "name": "EAP 6.4.24 release", "product_id": "EAP 6.4.24 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0444
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0444", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2060", "url": "https://issues.redhat.com/browse/CIAM-2060" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0444.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update", "tracking": { "current_release_date": "2024-11-26T02:52:09+00:00", "generator": { "date": "2024-11-26T02:52:09+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0444", "initial_release_date": "2022-02-07T13:41:18+00:00", "revision_history": [ { "date": "2022-02-07T13:41:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:41:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:09+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_id": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_identification_helper": { "purl": "pkg:oci/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8\u0026tag=7.4-45" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" }, "product_reference": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:5459
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5459", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873620" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5459.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:17+00:00", "generator": { "date": "2025-10-09T20:37:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5459", "initial_release_date": "2022-06-30T19:00:12+00:00", "revision_history": [ { "date": "2022-06-30T19:00:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:00:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0444
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0444", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2060", "url": "https://issues.redhat.com/browse/CIAM-2060" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0444.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0444", "initial_release_date": "2022-02-07T13:41:18+00:00", "revision_history": [ { "date": "2022-02-07T13:41:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:41:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_id": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_identification_helper": { "purl": "pkg:oci/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8\u0026tag=7.4-45" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" }, "product_reference": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:1299
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0448
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0448", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0448.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0448", "initial_release_date": "2022-02-07T13:54:48+00:00", "revision_history": [ { "date": "2022-02-07T13:54:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:54:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5269
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5269", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5269.json" } ], "title": "Red Hat Security Advisory: rh-maven36-log4j12 security update", "tracking": { "current_release_date": "2024-11-26T02:51:40+00:00", "generator": { "date": "2024-11-26T02:51:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5269", "initial_release_date": "2021-12-22T21:29:25+00:00", "revision_history": [ { "date": "2021-12-22T21:29:25+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-22T21:29:25+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12-javadoc@1.2.17-23.3.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-22T21:29:25+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022:0289
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0289", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0289.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0289", "initial_release_date": "2022-01-26T14:57:42+00:00", "revision_history": [ { "date": "2022-01-26T14:57:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:57:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8040020220124230039:d304d9ed" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-0.5.4-4.module+el8.4.0+13998+1b70e2b7.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.4.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:5460
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5460", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873619" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5460.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:17+00:00", "generator": { "date": "2025-10-09T20:37:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5460", "initial_release_date": "2022-06-30T19:14:26+00:00", "revision_history": [ { "date": "2022-06-30T19:14:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:14:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0661
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0661", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0661.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update", "tracking": { "current_release_date": "2025-10-09T21:42:20+00:00", "generator": { "date": "2025-10-09T21:42:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0661", "initial_release_date": "2022-02-23T14:06:23+00:00", "revision_history": [ { "date": "2022-02-23T14:06:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-23T14:06:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.10.1", "product": { "name": "Red Hat Fuse 7.10.1", "product_id": "Red Hat Fuse 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:5458
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5458", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5458.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:16+00:00", "generator": { "date": "2025-10-09T20:37:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5458", "initial_release_date": "2022-06-30T18:34:28+00:00", "revision_history": [ { "date": "2022-06-30T18:34:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T18:34:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4.24 release", "product": { "name": "EAP 6.4.24 release", "product_id": "EAP 6.4.24 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2024:10207
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.11 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.10, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.11 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding [eap-7.3.z] (CVE-2024-28752)\n\n* h2: Loading of custom classes from remote servers through JNDI [eap-7.3.z] (CVE-2022-23221)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.3.z] (CVE-2022-23307)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.3.z] (CVE-2022-23305)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.3.z] (CVE-2021-4104)\n\n* CXF: Apache CXF: SSRF Vulnerability [eap-7.3.z] (CVE-2022-46364)\n\n* log4j: log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging [eap-7.3.z] (CVE-2023-26464)\n\n* xalan: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-7.3.z] (CVE-2022-34169)\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big [eap-7.3.z] (CVE-2023-5685)\n\n* hsqldb: Untrusted input may lead to RCE attack [eap-7.3.z] (CVE-2022-41853)\n\n* server: eap-7: heap exhaustion via deserialization [eap-7.3.z] (CVE-2023-3171)\n\n* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [eap-7.3.z] (CVE-2023-39410)\n\n* undertow: client side invocation timeout raised when calling EJB over HTTP and HTTP2 [eap-7.3.z] (CVE-2021-3859)\n\n* avro: apache-avro: Schema parsing may trigger Remote Code Execution (RCE) [eap-7.3.z] (CVE-2024-47561)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:10207", "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "JBEAP-23025", "url": "https://issues.redhat.com/browse/JBEAP-23025" }, { "category": "external", "summary": "JBEAP-28084", "url": "https://issues.redhat.com/browse/JBEAP-28084" }, { "category": "external", "summary": "JBEAP-28089", "url": "https://issues.redhat.com/browse/JBEAP-28089" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10207.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.11 Security update", "tracking": { "current_release_date": "2025-10-15T14:20:21+00:00", "generator": { "date": "2025-10-15T14:20:21+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2024:10207", "initial_release_date": "2024-11-25T00:12:17+00:00", "revision_history": [ { "date": "2024-11-25T00:12:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-11-25T00:12:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-15T14:20:21+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling-river@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-rt@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-services@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-tools@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-bindings@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-policy@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-common@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-dom@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-policy-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.3-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly11.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly12.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly13.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly14.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly15.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly16.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly17.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly18.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly8.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly9.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23221", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2044596" } ], "notes": [ { "category": "description", "text": "A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.", "title": "Vulnerability description" }, { "category": "summary", "text": "h2: Loading of custom classes from remote servers through JNDI", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the impact by this vulnerability is LOW and will not be fixed as OCP 3.x has already reached End of Full Support.\n\n[1] https://access.redhat.com/support/policy/updates/openshift_noncurrent", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23221" }, { "category": "external", "summary": "RHBZ#2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23221", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23221" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-45hx-wfhj-473x", "url": "https://github.com/advisories/GHSA-45hx-wfhj-473x" } ], "release_date": "2022-01-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "h2: Loading of custom classes from remote servers through JNDI" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" }, { "cve": "CVE-2022-34169", "cwe": { "id": "CWE-192", "name": "Integer Coercion Error" }, "discovery_date": "2022-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2108554" } ], "notes": [ { "category": "description", "text": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-34169" }, { "category": "external", "summary": "RHBZ#2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34169", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169" } ], "release_date": "2022-07-19T20:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)" }, { "cve": "CVE-2022-41853", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2022-10-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136141" } ], "notes": [ { "category": "description", "text": "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", "title": "Vulnerability description" }, { "category": "summary", "text": "hsqldb: Untrusted input may lead to RCE attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41853" }, { "category": "external", "summary": "RHBZ#2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41853", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41853" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853" }, { "category": "external", "summary": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-77xx-rxvh-q682", "url": "https://github.com/advisories/GHSA-77xx-rxvh-q682" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "hsqldb: Untrusted input may lead to RCE attack" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "cve": "CVE-2023-3171", "cwe": { "id": "CWE-789", "name": "Memory Allocation with Excessive Size Value" }, "discovery_date": "2023-04-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2213639" } ], "notes": [ { "category": "description", "text": "A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "eap-7: heap exhaustion via deserialization", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-3171" }, { "category": "external", "summary": "RHBZ#2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-3171", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3171" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171" } ], "release_date": "2023-10-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "eap-7: heap exhaustion via deserialization" }, { "cve": "CVE-2023-5685", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2241822" } ], "notes": [ { "category": "description", "text": "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "xnio: StackOverflowException when the chain of notifier states becomes problematically big", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-5685" }, { "category": "external", "summary": "RHBZ#2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-5685", "url": "https://www.cve.org/CVERecord?id=CVE-2023-5685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685" } ], "release_date": "2024-03-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "xnio: StackOverflowException when the chain of notifier states becomes problematically big" }, { "cve": "CVE-2023-26464", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-03-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2182864" } ], "notes": [ { "category": "description", "text": "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j1-socketappender: DoS via hashmap logging", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-26464" }, { "category": "external", "summary": "RHBZ#2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26464" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464" }, { "category": "external", "summary": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", "url": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464" } ], "release_date": "2023-03-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j1-socketappender: DoS via hashmap logging" }, { "cve": "CVE-2023-39410", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2023-10-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242521" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-39410" }, { "category": "external", "summary": "RHBZ#2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39410", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39410" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/AVRO-3819", "url": "https://issues.apache.org/jira/browse/AVRO-3819" } ], "release_date": "2023-09-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK" }, { "cve": "CVE-2024-28752", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2024-03-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270732" } ], "notes": [ { "category": "description", "text": "A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.", "title": "Vulnerability description" }, { "category": "summary", "text": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as an Important impact due to the fact this requires Aegis databind, which is not the default databinding for Apache CXF.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-28752" }, { "category": "external", "summary": "RHBZ#2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28752", "url": "https://www.cve.org/CVERecord?id=CVE-2024-28752" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt", "url": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-qmgx-j96g-4428", "url": "https://github.com/advisories/GHSA-qmgx-j96g-4428" } ], "release_date": "2024-03-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "No mitigation is currently available for this vulnerability. Please make sure to update as the fixes become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding" }, { "cve": "CVE-2024-47561", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2024-10-02T14:04:06.018000+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2316116" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "title": "Vulnerability summary" }, { "category": "other", "text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-47561" }, { "category": "external", "summary": "RHBZ#2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47561" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561" } ], "release_date": "2024-10-03T12:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)" } ] }
rhsa-2022_0430
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0430", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches", "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0430.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update", "tracking": { "current_release_date": "2024-11-26T02:51:25+00:00", "generator": { "date": "2024-11-26T02:51:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0430", "initial_release_date": "2022-02-03T14:04:37+00:00", "revision_history": [ { "date": "2022-02-03T14:04:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T14:04:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 7.3.9", "product": { "name": "Red Hat Data Grid 7.3.9", "product_id": "Red Hat Data Grid 7.3.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:7.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0291
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0291", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0291.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0291", "initial_release_date": "2022-01-26T14:54:58+00:00", "revision_history": [ { "date": "2022-01-26T14:54:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:54:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0450
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0450", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2055", "url": "https://issues.redhat.com/browse/CIAM-2055" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0450.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0450", "initial_release_date": "2022-02-07T14:45:54+00:00", "revision_history": [ { "date": "2022-02-07T14:45:54+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:45:54+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_id": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_identification_helper": { "purl": "pkg:oci/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso7-rhel8-operator-bundle\u0026tag=7.5.1-9" } } }, { "category": "product_version", "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_id": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_identification_helper": { "purl": "pkg:oci/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso75-openshift-rhel8\u0026tag=7.5-17" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64" }, "product_reference": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" }, "product_reference": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0444
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0444", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2060", "url": "https://issues.redhat.com/browse/CIAM-2060" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0444.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0444", "initial_release_date": "2022-02-07T13:41:18+00:00", "revision_history": [ { "date": "2022-02-07T13:41:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:41:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_id": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_identification_helper": { "purl": "pkg:oci/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8\u0026tag=7.4-45" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" }, "product_reference": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2021:5206
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5206", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5206.json" } ], "title": "Red Hat Security Advisory: log4j security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5206", "initial_release_date": "2021-12-20T09:54:00+00:00", "revision_history": [ { "date": "2021-12-20T09:54:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-20T09:54:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.src", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.src", "product_id": "log4j-0:1.2.14-6.5.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.src", "product": { "name": "log4j-0:1.2.17-16.el7_3.src", "product_id": "log4j-0:1.2.17-16.el7_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.src", "product": { "name": "log4j-0:1.2.17-17.el7_4.src", "product_id": "log4j-0:1.2.17-17.el7_4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-17.el7_4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-20T09:54:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022_0448
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0448", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0448.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8", "tracking": { "current_release_date": "2024-11-26T02:51:19+00:00", "generator": { "date": "2024-11-26T02:51:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0448", "initial_release_date": "2022-02-07T13:54:48+00:00", "revision_history": [ { "date": "2022-02-07T13:54:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:54:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0438
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0438", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0438.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-26T02:51:40+00:00", "generator": { "date": "2024-11-26T02:51:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0438", "initial_release_date": "2022-02-03T18:51:47+00:00", "revision_history": [ { "date": "2022-02-03T18:51:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:51:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0446
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0446", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2064", "url": "https://issues.redhat.com/browse/CIAM-2064" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0446.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0446", "initial_release_date": "2022-02-07T13:43:49+00:00", "revision_history": [ { "date": "2022-02-07T13:43:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:43:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.4.10", "product": { "name": "Red Hat Single Sign-On 7.4.10", "product_id": "Red Hat Single Sign-On 7.4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0446
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0446", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2064", "url": "https://issues.redhat.com/browse/CIAM-2064" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0446.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update", "tracking": { "current_release_date": "2024-11-26T02:51:11+00:00", "generator": { "date": "2024-11-26T02:51:11+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0446", "initial_release_date": "2022-02-07T13:43:49+00:00", "revision_history": [ { "date": "2022-02-07T13:43:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:43:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:11+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.4.10", "product": { "name": "Red Hat Single Sign-On 7.4.10", "product_id": "Red Hat Single Sign-On 7.4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0497
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0497", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0497.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update", "tracking": { "current_release_date": "2024-11-26T02:52:24+00:00", "generator": { "date": "2024-11-26T02:52:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0497", "initial_release_date": "2022-02-09T13:11:07+00:00", "revision_history": [ { "date": "2022-02-09T13:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-09T13:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5184
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5184", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5184.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2025-10-09T21:42:14+00:00", "generator": { "date": "2025-10-09T21:42:14+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5184", "initial_release_date": "2021-12-16T21:40:28+00:00", "revision_history": [ { "date": "2021-12-16T21:40:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:40:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:14+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_id": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112160422.p0.g6a2b6aa.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112160422.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112160422.p0.g3959be4.assembly.4.7.40-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
RHSA-2021:5184
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5184", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5184.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2025-10-09T21:42:14+00:00", "generator": { "date": "2025-10-09T21:42:14+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5184", "initial_release_date": "2021-12-16T21:40:28+00:00", "revision_history": [ { "date": "2021-12-16T21:40:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:40:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:14+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_id": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112160422.p0.g6a2b6aa.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112160422.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112160422.p0.g3959be4.assembly.4.7.40-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022_5459
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5459", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873620" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5459.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-12-08T11:38:05+00:00", "generator": { "date": "2024-12-08T11:38:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:5459", "initial_release_date": "2022-06-30T19:00:12+00:00", "revision_history": [ { "date": "2022-06-30T19:00:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:00:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-08T11:38:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:1299
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0430
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0430", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches", "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0430.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0430", "initial_release_date": "2022-02-03T14:04:37+00:00", "revision_history": [ { "date": "2022-02-03T14:04:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T14:04:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 7.3.9", "product": { "name": "Red Hat Data Grid 7.3.9", "product_id": "Red Hat Data Grid 7.3.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:7.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0294
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0294", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0294.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0294", "initial_release_date": "2022-01-26T14:48:57+00:00", "revision_history": [ { "date": "2022-01-26T14:48:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:48:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8010020220124232535:d5701770" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-0.5.4-4.module+el8.1.0+14000+df5fdac7.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-examples-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:parfait-javadoc-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:pcp-parfait-agent-0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.1.0.Z.E4S:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5269
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5269", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5269.json" } ], "title": "Red Hat Security Advisory: rh-maven36-log4j12 security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5269", "initial_release_date": "2021-12-22T21:29:25+00:00", "revision_history": [ { "date": "2021-12-22T21:29:25+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-22T21:29:25+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12-javadoc@1.2.17-23.3.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-22T21:29:25+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
RHSA-2021:5186
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5186", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5186.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5186", "initial_release_date": "2021-12-16T22:34:47+00:00", "revision_history": [ { "date": "2021-12-16T22:34:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T22:34:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_id": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.6.0-202112160147.p0.gf139e12.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112161349.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
RHSA-2022:0497
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0497", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0497.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update", "tracking": { "current_release_date": "2025-10-10T02:14:55+00:00", "generator": { "date": "2025-10-10T02:14:55+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0497", "initial_release_date": "2022-02-09T13:11:07+00:00", "revision_history": [ { "date": "2022-02-09T13:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-09T13:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-10T02:14:55+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5184
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5184", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5184.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2024-11-26T02:51:13+00:00", "generator": { "date": "2024-11-26T02:51:13+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5184", "initial_release_date": "2021-12-16T21:40:28+00:00", "revision_history": [ { "date": "2021-12-16T21:40:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:40:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:13+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_id": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112160422.p0.g6a2b6aa.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112160422.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112160422.p0.g3959be4.assembly.4.7.40-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022:0445
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0445", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2059", "url": "https://issues.redhat.com/browse/CIAM-2059" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0445.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0445", "initial_release_date": "2022-02-07T14:22:21+00:00", "revision_history": [ { "date": "2022-02-07T14:22:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:22:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5183
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5183", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5183.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 security update", "tracking": { "current_release_date": "2025-10-09T21:42:09+00:00", "generator": { "date": "2025-10-09T21:42:09+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5183", "initial_release_date": "2021-12-16T21:14:49+00:00", "revision_history": [ { "date": "2021-12-16T21:14:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:14:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:09+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_id": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.8.0-202112160147.p0.g5672016.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112161229.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112161229.p0.g0d7ecfb.assembly.art3599-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2021_5186
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5186", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5186.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2024-11-26T02:51:26+00:00", "generator": { "date": "2024-11-26T02:51:26+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5186", "initial_release_date": "2021-12-16T22:34:47+00:00", "revision_history": [ { "date": "2021-12-16T22:34:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T22:34:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:26+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_id": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.6.0-202112160147.p0.gf139e12.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112161349.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022:1296
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:23+00:00", "generator": { "date": "2025-10-09T21:42:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_1297
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-26T02:52:57+00:00", "generator": { "date": "2024-11-26T02:52:57+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:57+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:5460
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5460", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873619" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5460.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:17+00:00", "generator": { "date": "2025-10-09T20:37:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5460", "initial_release_date": "2022-06-30T19:14:26+00:00", "revision_history": [ { "date": "2022-06-30T19:14:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:14:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0436
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0436", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0436.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0436", "initial_release_date": "2022-02-03T18:30:42+00:00", "revision_history": [ { "date": "2022-02-03T18:30:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:30:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_1299
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-26T02:52:49+00:00", "generator": { "date": "2024-11-26T02:52:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0290
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0290", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0290.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0290", "initial_release_date": "2022-01-26T14:51:27+00:00", "revision_history": [ { "date": "2022-01-26T14:51:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:51:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0289
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0289", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0289.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-26T02:51:54+00:00", "generator": { "date": "2024-11-26T02:51:54+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0289", "initial_release_date": "2022-01-26T14:57:42+00:00", "revision_history": [ { "date": "2022-01-26T14:57:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:57:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:54+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8040020220124230039:d304d9ed", "product": { "name": "parfait:0.5:8040020220124230039:d304d9ed", "product_id": "parfait:0.5:8040020220124230039:d304d9ed", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, "product_reference": "parfait:0.5:8040020220124230039:d304d9ed", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0448
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0448", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0448.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0448", "initial_release_date": "2022-02-07T13:54:48+00:00", "revision_history": [ { "date": "2022-02-07T13:54:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:54:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0450
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0450", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2055", "url": "https://issues.redhat.com/browse/CIAM-2055" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0450.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0450", "initial_release_date": "2022-02-07T14:45:54+00:00", "revision_history": [ { "date": "2022-02-07T14:45:54+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:45:54+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_id": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_identification_helper": { "purl": "pkg:oci/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso7-rhel8-operator-bundle\u0026tag=7.5.1-9" } } }, { "category": "product_version", "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_id": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_identification_helper": { "purl": "pkg:oci/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso75-openshift-rhel8\u0026tag=7.5-17" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64" }, "product_reference": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" }, "product_reference": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0661
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0661", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0661.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update", "tracking": { "current_release_date": "2024-11-26T02:52:42+00:00", "generator": { "date": "2024-11-26T02:52:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0661", "initial_release_date": "2022-02-23T14:06:23+00:00", "revision_history": [ { "date": "2022-02-23T14:06:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-23T14:06:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.10.1", "product": { "name": "Red Hat Fuse 7.10.1", "product_id": "Red Hat Fuse 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2021:5107
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5107", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5107.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2025-10-22T11:00:05+00:00", "generator": { "date": "2025-10-22T11:00:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5107", "initial_release_date": "2021-12-16T15:00:19+00:00", "revision_history": [ { "date": "2021-12-16T15:00:19+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T15:00:19+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_id": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112140553.p0.g091bb99.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_id": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
RHSA-2021:5183
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5183", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5183.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 security update", "tracking": { "current_release_date": "2025-10-09T21:42:09+00:00", "generator": { "date": "2025-10-09T21:42:09+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5183", "initial_release_date": "2021-12-16T21:14:49+00:00", "revision_history": [ { "date": "2021-12-16T21:14:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:14:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:09+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_id": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.8.0-202112160147.p0.g5672016.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112161229.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112161229.p0.g0d7ecfb.assembly.art3599-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022_0447
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0447", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0447.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7", "tracking": { "current_release_date": "2024-11-26T02:51:39+00:00", "generator": { "date": "2024-11-26T02:51:39+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0447", "initial_release_date": "2022-02-07T13:55:22+00:00", "revision_history": [ { "date": "2022-02-07T13:55:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:55:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:39+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0437
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0437", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0437.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0437", "initial_release_date": "2022-02-03T18:43:46+00:00", "revision_history": [ { "date": "2022-02-03T18:43:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:43:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4 log4j async", "product": { "name": "EAP 6.4 log4j async", "product_id": "EAP 6.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0507
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0507", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0507.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update", "tracking": { "current_release_date": "2024-11-26T02:52:12+00:00", "generator": { "date": "2024-11-26T02:52:12+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0507", "initial_release_date": "2022-02-10T17:26:37+00:00", "revision_history": [ { "date": "2022-02-10T17:26:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-10T17:26:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:12+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2021:5141
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5141", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5141.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2025-10-22T11:00:20+00:00", "generator": { "date": "2025-10-22T11:00:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5141", "initial_release_date": "2021-12-16T07:50:00+00:00", "revision_history": [ { "date": "2021-12-16T07:50:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T07:50:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.6.0-202112150545.p0.gf381145.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112150545.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112150545.p0.gd74112d.assembly.art3595-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_id": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.6.0-202112150545.p0.g190688a.assembly.art3595" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
RHSA-2022:0438
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0438", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0438.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0438", "initial_release_date": "2022-02-03T18:51:47+00:00", "revision_history": [ { "date": "2022-02-03T18:51:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:51:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0450
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0450", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2055", "url": "https://issues.redhat.com/browse/CIAM-2055" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0450.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2024-11-26T02:51:27+00:00", "generator": { "date": "2024-11-26T02:51:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0450", "initial_release_date": "2022-02-07T14:45:54+00:00", "revision_history": [ { "date": "2022-02-07T14:45:54+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:45:54+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_id": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "product_identification_helper": { "purl": "pkg:oci/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso7-rhel8-operator-bundle\u0026tag=7.5.1-9" } } }, { "category": "product_version", "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_id": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "product_identification_helper": { "purl": "pkg:oci/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso75-openshift-rhel8\u0026tag=7.5-17" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64" }, "product_reference": "rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" }, "product_reference": "rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:45:54+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:ad87192dfe806d6ca2a156c0bdf475d82dbe9dad55e626c3e727c02d805e6463_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8@sha256:9ef70013c5f640926f9a3a79db258b2b0f00766d1234d3dd8ba7b415bade986a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0475
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the manager for virtualization environments.\nThis manager enables admins to define hosts and networks, as well as to add\nstorage, create VMs and manage user permissions.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nBug Fix(es):\n\n* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation. \n\nWhen upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.\n\nAfter a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)\n\n* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)\n\n* Because installing the self-hosted engine with Cockpit is deprecated, the \u0027Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface\u0027 link\non the Red Hat Virtualization Administration Portal login page has been replaced with the \"Installing Red Hat Virtualization as a self-hosted engine using the command line\" link. (BZ#1992476)\n\n* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0475", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1992476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992476" }, { "category": "external", "summary": "2013430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013430" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044257" }, { "category": "external", "summary": "2044277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0475.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0475", "initial_release_date": "2022-02-08T17:00:26+00:00", "revision_history": [ { "date": "2022-02-08T17:00:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T17:00:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j-javadoc@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.10.6-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0507
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0507", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0507.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update", "tracking": { "current_release_date": "2025-10-10T02:14:56+00:00", "generator": { "date": "2025-10-10T02:14:56+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0507", "initial_release_date": "2022-02-10T17:26:37+00:00", "revision_history": [ { "date": "2022-02-10T17:26:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-10T17:26:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-10T02:14:56+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0290
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0290", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0290.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-26T02:51:47+00:00", "generator": { "date": "2024-11-26T02:51:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0290", "initial_release_date": "2022-01-26T14:51:27+00:00", "revision_history": [ { "date": "2022-01-26T14:51:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:51:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:51:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8050020220124063900:6b489b78", "product": { "name": "parfait:0.5:8050020220124063900:6b489b78", "product_id": "parfait:0.5:8050020220124063900:6b489b78", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, "product_reference": "parfait:0.5:8050020220124063900:6b489b78", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0524
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0524", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0524.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update", "tracking": { "current_release_date": "2025-10-09T21:42:24+00:00", "generator": { "date": "2025-10-09T21:42:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0524", "initial_release_date": "2022-02-14T17:10:12+00:00", "revision_history": [ { "date": "2022-02-14T17:10:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:10:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product": { "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } }, { "category": "product_version", "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0449
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0449", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2054", "url": "https://issues.redhat.com/browse/CIAM-2054" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0449.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0449", "initial_release_date": "2022-02-07T13:48:02+00:00", "revision_history": [ { "date": "2022-02-07T13:48:02+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:48:02+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHSSO 7.5.1", "product": { "name": "RHSSO 7.5.1", "product_id": "RHSSO 7.5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "acknowledgments": [ { "names": [ "Christian D\u00f6lling" ] } ], "cve": "CVE-2022-1466", "cwe": { "id": "CWE-1220", "name": "Insufficient Granularity of Access Control" }, "discovery_date": "2022-02-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2050228" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Improper authorization for master realm", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1466" }, { "category": "external", "summary": "RHBZ#2050228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1466", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1466" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Improper authorization for master realm" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2024_10207
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.11 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.10, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.11 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding [eap-7.3.z] (CVE-2024-28752)\n\n* h2: Loading of custom classes from remote servers through JNDI [eap-7.3.z] (CVE-2022-23221)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.3.z] (CVE-2022-23307)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.3.z] (CVE-2022-23305)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.3.z] (CVE-2021-4104)\n\n* CXF: Apache CXF: SSRF Vulnerability [eap-7.3.z] (CVE-2022-46364)\n\n* log4j: log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging [eap-7.3.z] (CVE-2023-26464)\n\n* xalan: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-7.3.z] (CVE-2022-34169)\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big [eap-7.3.z] (CVE-2023-5685)\n\n* hsqldb: Untrusted input may lead to RCE attack [eap-7.3.z] (CVE-2022-41853)\n\n* server: eap-7: heap exhaustion via deserialization [eap-7.3.z] (CVE-2023-3171)\n\n* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [eap-7.3.z] (CVE-2023-39410)\n\n* undertow: client side invocation timeout raised when calling EJB over HTTP and HTTP2 [eap-7.3.z] (CVE-2021-3859)\n\n* avro: apache-avro: Schema parsing may trigger Remote Code Execution (RCE) [eap-7.3.z] (CVE-2024-47561)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:10207", "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "JBEAP-23025", "url": "https://issues.redhat.com/browse/JBEAP-23025" }, { "category": "external", "summary": "JBEAP-28084", "url": "https://issues.redhat.com/browse/JBEAP-28084" }, { "category": "external", "summary": "JBEAP-28089", "url": "https://issues.redhat.com/browse/JBEAP-28089" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10207.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.11 Security update", "tracking": { "current_release_date": "2025-01-06T19:38:51+00:00", "generator": { "date": "2025-01-06T19:38:51+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.5" } }, "id": "RHSA-2024:10207", "initial_release_date": "2024-11-25T00:12:17+00:00", "revision_history": [ { "date": "2024-11-25T00:12:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-11-25T00:12:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-01-06T19:38:51+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling-river@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-rt@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-services@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-tools@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-bindings@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-policy@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-common@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-dom@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-policy-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.3-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly11.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly12.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly13.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly14.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly15.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly16.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly17.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly18.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly8.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly9.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23221", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2044596" } ], "notes": [ { "category": "description", "text": "A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.", "title": "Vulnerability description" }, { "category": "summary", "text": "h2: Loading of custom classes from remote servers through JNDI", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the impact by this vulnerability is LOW and will not be fixed as OCP 3.x has already reached End of Full Support.\n\n[1] https://access.redhat.com/support/policy/updates/openshift_noncurrent", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23221" }, { "category": "external", "summary": "RHBZ#2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23221", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23221" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-45hx-wfhj-473x", "url": "https://github.com/advisories/GHSA-45hx-wfhj-473x" } ], "release_date": "2022-01-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "h2: Loading of custom classes from remote servers through JNDI" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" }, { "cve": "CVE-2022-34169", "cwe": { "id": "CWE-192", "name": "Integer Coercion Error" }, "discovery_date": "2022-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2108554" } ], "notes": [ { "category": "description", "text": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-34169" }, { "category": "external", "summary": "RHBZ#2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34169", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169" } ], "release_date": "2022-07-19T20:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)" }, { "cve": "CVE-2022-41853", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2022-10-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136141" } ], "notes": [ { "category": "description", "text": "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", "title": "Vulnerability description" }, { "category": "summary", "text": "hsqldb: Untrusted input may lead to RCE attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41853" }, { "category": "external", "summary": "RHBZ#2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41853", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41853" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853" }, { "category": "external", "summary": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-77xx-rxvh-q682", "url": "https://github.com/advisories/GHSA-77xx-rxvh-q682" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "hsqldb: Untrusted input may lead to RCE attack" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "cve": "CVE-2023-3171", "cwe": { "id": "CWE-789", "name": "Memory Allocation with Excessive Size Value" }, "discovery_date": "2023-04-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2213639" } ], "notes": [ { "category": "description", "text": "A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "eap-7: heap exhaustion via deserialization", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-3171" }, { "category": "external", "summary": "RHBZ#2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-3171", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3171" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171" } ], "release_date": "2023-10-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "eap-7: heap exhaustion via deserialization" }, { "cve": "CVE-2023-5685", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2241822" } ], "notes": [ { "category": "description", "text": "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "xnio: StackOverflowException when the chain of notifier states becomes problematically big", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-5685" }, { "category": "external", "summary": "RHBZ#2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-5685", "url": "https://www.cve.org/CVERecord?id=CVE-2023-5685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685" } ], "release_date": "2024-03-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "xnio: StackOverflowException when the chain of notifier states becomes problematically big" }, { "cve": "CVE-2023-26464", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-03-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2182864" } ], "notes": [ { "category": "description", "text": "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j1-socketappender: DoS via hashmap logging", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-26464" }, { "category": "external", "summary": "RHBZ#2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26464" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464" }, { "category": "external", "summary": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", "url": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464" } ], "release_date": "2023-03-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j1-socketappender: DoS via hashmap logging" }, { "cve": "CVE-2023-39410", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2023-10-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242521" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-39410" }, { "category": "external", "summary": "RHBZ#2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39410", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39410" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/AVRO-3819", "url": "https://issues.apache.org/jira/browse/AVRO-3819" } ], "release_date": "2023-09-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK" }, { "cve": "CVE-2024-28752", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2024-03-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270732" } ], "notes": [ { "category": "description", "text": "A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.", "title": "Vulnerability description" }, { "category": "summary", "text": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as an Important impact due to the fact this requires Aegis databind, which is not the default databinding for Apache CXF.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-28752" }, { "category": "external", "summary": "RHBZ#2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28752", "url": "https://www.cve.org/CVERecord?id=CVE-2024-28752" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt", "url": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-qmgx-j96g-4428", "url": "https://github.com/advisories/GHSA-qmgx-j96g-4428" } ], "release_date": "2024-03-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "No mitigation is currently available for this vulnerability. Please make sure to update as the fixes become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding" }, { "cve": "CVE-2024-47561", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2024-10-02T14:04:06.018000+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2316116" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "title": "Vulnerability summary" }, { "category": "other", "text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-47561" }, { "category": "external", "summary": "RHBZ#2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47561" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561" } ], "release_date": "2024-10-03T12:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)" } ] }
RHSA-2024:10207
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.11 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.10, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.11 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding [eap-7.3.z] (CVE-2024-28752)\n\n* h2: Loading of custom classes from remote servers through JNDI [eap-7.3.z] (CVE-2022-23221)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.3.z] (CVE-2022-23307)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.3.z] (CVE-2022-23305)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.3.z] (CVE-2021-4104)\n\n* CXF: Apache CXF: SSRF Vulnerability [eap-7.3.z] (CVE-2022-46364)\n\n* log4j: log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging [eap-7.3.z] (CVE-2023-26464)\n\n* xalan: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-7.3.z] (CVE-2022-34169)\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big [eap-7.3.z] (CVE-2023-5685)\n\n* hsqldb: Untrusted input may lead to RCE attack [eap-7.3.z] (CVE-2022-41853)\n\n* server: eap-7: heap exhaustion via deserialization [eap-7.3.z] (CVE-2023-3171)\n\n* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [eap-7.3.z] (CVE-2023-39410)\n\n* undertow: client side invocation timeout raised when calling EJB over HTTP and HTTP2 [eap-7.3.z] (CVE-2021-3859)\n\n* avro: apache-avro: Schema parsing may trigger Remote Code Execution (RCE) [eap-7.3.z] (CVE-2024-47561)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:10207", "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "JBEAP-23025", "url": "https://issues.redhat.com/browse/JBEAP-23025" }, { "category": "external", "summary": "JBEAP-28084", "url": "https://issues.redhat.com/browse/JBEAP-28084" }, { "category": "external", "summary": "JBEAP-28089", "url": "https://issues.redhat.com/browse/JBEAP-28089" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10207.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.11 Security update", "tracking": { "current_release_date": "2025-10-15T14:20:21+00:00", "generator": { "date": "2025-10-15T14:20:21+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2024:10207", "initial_release_date": "2024-11-25T00:12:17+00:00", "revision_history": [ { "date": "2024-11-25T00:12:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-11-25T00:12:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-15T14:20:21+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-marshalling-river@2.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-rt@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-services@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-cxf-tools@3.4.10-1.SP1_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.7.13-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_id": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-avro@1.7.6-8.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-bindings@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-policy@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-common@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-dom@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-policy-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wss4j-ws-security-stax@2.3.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xml-security@2.2.3-2.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_id": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-38.redhat_00015.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-2.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_id": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-annotations-api_1.3_spec@2.0.1-4.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap6.4-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.2-to-eap7.3@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-eap7.3-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly10.1@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly11.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly12.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly13.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly14.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly15.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly16.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly17.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly18.0-server@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly8.2@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-wildfly9.0@1.7.2-12.Final_redhat_00013.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.3.11-4.GA_redhat_00002.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src" }, "product_reference": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src" }, "product_reference": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.3-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23221", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2044596" } ], "notes": [ { "category": "description", "text": "A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.", "title": "Vulnerability description" }, { "category": "summary", "text": "h2: Loading of custom classes from remote servers through JNDI", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the impact by this vulnerability is LOW and will not be fixed as OCP 3.x has already reached End of Full Support.\n\n[1] https://access.redhat.com/support/policy/updates/openshift_noncurrent", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23221" }, { "category": "external", "summary": "RHBZ#2044596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044596" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23221", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23221" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23221" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-45hx-wfhj-473x", "url": "https://github.com/advisories/GHSA-45hx-wfhj-473x" } ], "release_date": "2022-01-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "h2: Loading of custom classes from remote servers through JNDI" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" }, { "cve": "CVE-2022-34169", "cwe": { "id": "CWE-192", "name": "Integer Coercion Error" }, "discovery_date": "2022-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2108554" } ], "notes": [ { "category": "description", "text": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-34169" }, { "category": "external", "summary": "RHBZ#2108554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34169", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169" } ], "release_date": "2022-07-19T20:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)" }, { "cve": "CVE-2022-41853", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2022-10-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136141" } ], "notes": [ { "category": "description", "text": "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", "title": "Vulnerability description" }, { "category": "summary", "text": "hsqldb: Untrusted input may lead to RCE attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41853" }, { "category": "external", "summary": "RHBZ#2136141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41853", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41853" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853" }, { "category": "external", "summary": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-77xx-rxvh-q682", "url": "https://github.com/advisories/GHSA-77xx-rxvh-q682" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "hsqldb: Untrusted input may lead to RCE attack" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "cve": "CVE-2023-3171", "cwe": { "id": "CWE-789", "name": "Memory Allocation with Excessive Size Value" }, "discovery_date": "2023-04-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2213639" } ], "notes": [ { "category": "description", "text": "A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "eap-7: heap exhaustion via deserialization", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-3171" }, { "category": "external", "summary": "RHBZ#2213639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213639" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-3171", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3171" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3171" } ], "release_date": "2023-10-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "eap-7: heap exhaustion via deserialization" }, { "cve": "CVE-2023-5685", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2241822" } ], "notes": [ { "category": "description", "text": "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "xnio: StackOverflowException when the chain of notifier states becomes problematically big", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-5685" }, { "category": "external", "summary": "RHBZ#2241822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-5685", "url": "https://www.cve.org/CVERecord?id=CVE-2023-5685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5685" } ], "release_date": "2024-03-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "xnio: StackOverflowException when the chain of notifier states becomes problematically big" }, { "cve": "CVE-2023-26464", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-03-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2182864" } ], "notes": [ { "category": "description", "text": "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j1-socketappender: DoS via hashmap logging", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-26464" }, { "category": "external", "summary": "RHBZ#2182864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182864" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26464" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464" }, { "category": "external", "summary": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", "url": "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464" } ], "release_date": "2023-03-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j1-socketappender: DoS via hashmap logging" }, { "cve": "CVE-2023-39410", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2023-10-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242521" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-39410" }, { "category": "external", "summary": "RHBZ#2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39410", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39410" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/AVRO-3819", "url": "https://issues.apache.org/jira/browse/AVRO-3819" } ], "release_date": "2023-09-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK" }, { "cve": "CVE-2024-28752", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2024-03-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270732" } ], "notes": [ { "category": "description", "text": "A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.", "title": "Vulnerability description" }, { "category": "summary", "text": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as an Important impact due to the fact this requires Aegis databind, which is not the default databinding for Apache CXF.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-28752" }, { "category": "external", "summary": "RHBZ#2270732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270732" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28752", "url": "https://www.cve.org/CVERecord?id=CVE-2024-28752" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28752" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt", "url": "https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-qmgx-j96g-4428", "url": "https://github.com/advisories/GHSA-qmgx-j96g-4428" } ], "release_date": "2024-03-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "No mitigation is currently available for this vulnerability. Please make sure to update as the fixes become available.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding" }, { "cve": "CVE-2024-47561", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2024-10-02T14:04:06.018000+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2316116" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "title": "Vulnerability summary" }, { "category": "other", "text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-47561" }, { "category": "external", "summary": "RHBZ#2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47561" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561" } ], "release_date": "2024-10-03T12:20:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-25T00:12:17+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:10207" }, { "category": "workaround", "details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.", "product_ids": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-rt-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-services-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-apache-cxf-tools-0:3.4.10-1.SP1_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-marshalling-river-0:2.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-cli-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-core-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap6.4-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.2-to-eap7.3-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-eap7.3-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly10.1-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly11.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly12.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly13.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly14.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly15.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly16.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly17.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly18.0-server-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly8.2-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-server-migration-wildfly9.0-0:1.7.2-12.Final_redhat_00013.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.11-4.GA_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-wss4j-bindings-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-policy-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-common-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-dom-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-policy-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-wss4j-ws-security-stax-0:2.3.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap.src", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.3-EUS:eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)" } ] }
RHSA-2022:0430
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0430", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches", "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0430.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0430", "initial_release_date": "2022-02-03T14:04:37+00:00", "revision_history": [ { "date": "2022-02-03T14:04:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T14:04:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 7.3.9", "product": { "name": "Red Hat Data Grid 7.3.9", "product_id": "Red Hat Data Grid 7.3.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:7.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0507
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0507", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0507.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update", "tracking": { "current_release_date": "2025-10-10T02:14:56+00:00", "generator": { "date": "2025-10-10T02:14:56+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0507", "initial_release_date": "2022-02-10T17:26:37+00:00", "revision_history": [ { "date": "2022-02-10T17:26:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-10T17:26:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-10T02:14:56+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0449
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0449", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2054", "url": "https://issues.redhat.com/browse/CIAM-2054" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0449.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update", "tracking": { "current_release_date": "2025-10-09T21:42:18+00:00", "generator": { "date": "2025-10-09T21:42:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0449", "initial_release_date": "2022-02-07T13:48:02+00:00", "revision_history": [ { "date": "2022-02-07T13:48:02+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:48:02+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHSSO 7.5.1", "product": { "name": "RHSSO 7.5.1", "product_id": "RHSSO 7.5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "acknowledgments": [ { "names": [ "Christian D\u00f6lling" ] } ], "cve": "CVE-2022-1466", "cwe": { "id": "CWE-1220", "name": "Insufficient Granularity of Access Control" }, "discovery_date": "2022-02-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2050228" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Improper authorization for master realm", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1466" }, { "category": "external", "summary": "RHBZ#2050228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1466", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1466" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Improper authorization for master realm" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5460
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5460", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873619" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5460.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-12-08T11:37:55+00:00", "generator": { "date": "2024-12-08T11:37:55+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:5460", "initial_release_date": "2022-06-30T19:14:26+00:00", "revision_history": [ { "date": "2022-06-30T19:14:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:14:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-08T11:37:55+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5107
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5107", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5107.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2025-01-06T21:40:42+00:00", "generator": { "date": "2025-01-06T21:40:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.5" } }, "id": "RHSA-2021:5107", "initial_release_date": "2021-12-16T15:00:19+00:00", "revision_history": [ { "date": "2021-12-16T15:00:19+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T15:00:19+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-01-06T21:40:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_id": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112140553.p0.g091bb99.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_id": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
RHSA-2021:5269
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5269", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5269.json" } ], "title": "Red Hat Security Advisory: rh-maven36-log4j12 security update", "tracking": { "current_release_date": "2025-10-09T21:42:10+00:00", "generator": { "date": "2025-10-09T21:42:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5269", "initial_release_date": "2021-12-22T21:29:25+00:00", "revision_history": [ { "date": "2021-12-22T21:29:25+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-22T21:29:25+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12-javadoc@1.2.17-23.3.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-22T21:29:25+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022:0437
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0437", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0437.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0437", "initial_release_date": "2022-02-03T18:43:46+00:00", "revision_history": [ { "date": "2022-02-03T18:43:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:43:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4 log4j async", "product": { "name": "EAP 6.4 log4j async", "product_id": "EAP 6.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0436
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0436", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0436.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2025-10-09T21:42:16+00:00", "generator": { "date": "2025-10-09T21:42:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0436", "initial_release_date": "2022-02-03T18:30:42+00:00", "revision_history": [ { "date": "2022-02-03T18:30:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:30:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0290
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0290", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0290.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0290", "initial_release_date": "2022-01-26T14:51:27+00:00", "revision_history": [ { "date": "2022-01-26T14:51:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:51:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8050020220124063900:6b489b78" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.5.0.Z.MAIN:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2024_5856
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)\n\n* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)\n\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)\n\n* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)\n\n* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)\n\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)\n\n* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)\n\n* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:5856", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index" }, { "category": "external", "summary": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-24826", "url": "https://issues.redhat.com/browse/JBEAP-24826" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update", "tracking": { "current_release_date": "2024-12-29T18:38:42+00:00", "generator": { "date": "2024-12-29T18:38:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.4" } }, "id": "RHSA-2024:5856", "initial_release_date": "2024-08-26T11:05:47+00:00", "revision_history": [ { "date": "2024-08-26T11:05:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-08-26T11:05:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-29T18:38:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty-all@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9511", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1741860" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: large amount of data requests leads to denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9511" }, { "category": "external", "summary": "RHBZ#1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9511", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://kb.cert.org/vuls/id/605641/", "url": "https://kb.cert.org/vuls/id/605641/" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "url": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" } ], "release_date": "2019-08-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i \u0027s/http2 //g\u0027 /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: large amount of data requests leads to denial of service" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9512", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735645" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using PING frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9512" }, { "category": "external", "summary": "RHBZ#1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using PING frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9514", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735744" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9514" }, { "category": "external", "summary": "RHBZ#1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9515", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735745" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9515" }, { "category": "external", "summary": "RHBZ#1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth" }, { "cve": "CVE-2019-10086", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-10-31T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1767483" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10086" }, { "category": "external", "summary": "RHBZ#1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt", "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt" } ], "release_date": "2019-08-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no currently known mitigation for this flaw.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default" }, { "cve": "CVE-2019-10174", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2018-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1703469" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "title": "Vulnerability description" }, { "category": "summary", "text": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10174" }, { "category": "external", "summary": "RHBZ#1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10174", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10174" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174" } ], "release_date": "2019-11-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods" }, { "cve": "CVE-2019-12384", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-06-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1725807" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack\u0027s OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application\u0027s ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-12384" }, { "category": "external", "summary": "RHBZ#1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12384", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" } ], "release_date": "2019-06-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution" }, { "cve": "CVE-2019-14379", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-07-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1737517" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: default typing mishandling leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nSimilarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14379" }, { "category": "external", "summary": "RHBZ#1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14379", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" } ], "release_date": "2019-07-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: default typing mishandling leading to remote code execution" }, { "cve": "CVE-2019-14843", "cwe": { "id": "CWE-592", "name": "CWE-592" }, "discovery_date": "2019-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752980" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-security-manager: security manager authorization bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14843" }, { "category": "external", "summary": "RHBZ#1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14843" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843" } ], "release_date": "2019-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "This flaw only affects the Security Manager running under JDK 11 or 8. To mitigate exposure to this flaw, do not run under those JDK versions.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "wildfly-security-manager: security manager authorization bypass" }, { "acknowledgments": [ { "names": [ "Henning Baldersheim", "H\u00e5vard Pettersen" ], "organization": "Verizon Media" } ], "cve": "CVE-2019-14888", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1772464" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the Undertow HTTP server listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14888" }, { "category": "external", "summary": "RHBZ#1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14888", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14888" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888" } ], "release_date": "2020-01-20T12:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Enable HTTP2 (enable-http2=\"true\") in the undertow\u0027s HTTPS settings.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS" }, { "cve": "CVE-2019-16869", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2019-09-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1758619" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-16869" }, { "category": "external", "summary": "RHBZ#1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869" } ], "release_date": "2019-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers" }, { "cve": "CVE-2019-17531", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-11-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1775293" } ], "notes": [ { "category": "description", "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*", "title": "Vulnerability summary" }, { "category": "other", "text": "Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17531" }, { "category": "external", "summary": "RHBZ#1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17531", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" } ], "release_date": "2019-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*" }, { "cve": "CVE-2019-20444", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798524" } ], "notes": [ { "category": "description", "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20444" }, { "category": "external", "summary": "RHBZ#1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "category": "external", "summary": "https://github.com/elastic/elasticsearch/issues/49396", "url": "https://github.com/elastic/elasticsearch/issues/49396" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling" }, { "cve": "CVE-2019-20445", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798509" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20445" }, { "category": "external", "summary": "RHBZ#1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header" }, { "cve": "CVE-2020-1710", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1793970" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP: field-name is not parsed in accordance to RFC7230", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1710" }, { "category": "external", "summary": "RHBZ#1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1710", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1710" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710" } ], "release_date": "2020-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is currently no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "EAP: field-name is not parsed in accordance to RFC7230" }, { "acknowledgments": [ { "names": [ "Steve Zapantis", "Robert Roberson", "taktakdb4g" ] } ], "cve": "CVE-2020-1745", "cwe": { "id": "CWE-285", "name": "Improper Authorization" }, "discovery_date": "2020-02-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1807305" } ], "notes": [ { "category": "description", "text": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: AJP File Read/Inclusion Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1745" }, { "category": "external", "summary": "RHBZ#1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1745", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1745" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745" }, { "category": "external", "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/", "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/" }, { "category": "external", "summary": "https://www.cnvd.org.cn/webinfo/show/5415", "url": "https://www.cnvd.org.cn/webinfo/show/5415" }, { "category": "external", "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487", "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487" } ], "release_date": "2020-02-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: AJP File Read/Inclusion Vulnerability" }, { "acknowledgments": [ { "names": [ "Fedorov Oleksii", "Keitaro Yamazaki", "Shiga Ryota" ], "organization": "LINE Corporation" } ], "cve": "CVE-2020-1757", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-09-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752770" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1757" }, { "category": "external", "summary": "RHBZ#1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1757", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1757" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757" } ], "release_date": "2018-12-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting \"alwaysUseFullPath\".", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
RHSA-2022:0445
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0445", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2059", "url": "https://issues.redhat.com/browse/CIAM-2059" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0445.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0445", "initial_release_date": "2022-02-07T14:22:21+00:00", "revision_history": [ { "date": "2022-02-07T14:22:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:22:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0291
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0291", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0291.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2025-10-09T21:42:15+00:00", "generator": { "date": "2025-10-09T21:42:15+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0291", "initial_release_date": "2022-01-26T14:54:58+00:00", "revision_history": [ { "date": "2022-01-26T14:54:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:54:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:15+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5)", "product_id": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5)", "product_id": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "product": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm (parfait:0.5)", "product_id": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5)", "product_id": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src\u0026rpmmod=parfait:0.5:8020020220124231008:1c5d4e8a" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5" }, "product_reference": "parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5" }, "product_reference": "pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5" }, "product_reference": "uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm (parfait:0.5) as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" }, "product_reference": "uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-0.5.4-4.module+el8.2.0+13999+fa2fb353.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-examples-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:parfait-javadoc-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:pcp-parfait-agent-0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-0.6.5-2.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-1.0-5.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-1.0.1-6.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-parent-1.0.3-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-1.0.4-3.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-0.7-1.module+el8+2463+615f6896.src.rpm-parfait:0.5", "AppStream-8.2.0.Z.EUS:uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpm-parfait:0.5" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0524
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0524", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0524.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update", "tracking": { "current_release_date": "2024-11-26T02:52:20+00:00", "generator": { "date": "2024-11-26T02:52:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0524", "initial_release_date": "2022-02-14T17:10:12+00:00", "revision_history": [ { "date": "2022-02-14T17:10:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:10:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:52:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product": { "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } }, { "category": "product_version", "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:5459
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5459", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873620" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5459.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2025-10-09T20:37:17+00:00", "generator": { "date": "2025-10-09T20:37:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:5459", "initial_release_date": "2022-06-30T19:00:12+00:00", "revision_history": [ { "date": "2022-06-30T19:00:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:00:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T20:37:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021:5148
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5148", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5148.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 extras security update", "tracking": { "current_release_date": "2025-10-22T11:00:16+00:00", "generator": { "date": "2025-10-22T11:00:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2021:5148", "initial_release_date": "2021-12-15T20:09:32+00:00", "revision_history": [ { "date": "2021-12-15T20:09:32+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T16:08:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-22T11:00:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_id": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_1296
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-26T02:53:09+00:00", "generator": { "date": "2024-11-26T02:53:09+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-26T02:53:09+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022:0446
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0446", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2064", "url": "https://issues.redhat.com/browse/CIAM-2064" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0446.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update", "tracking": { "current_release_date": "2025-10-09T21:42:17+00:00", "generator": { "date": "2025-10-09T21:42:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.9" } }, "id": "RHSA-2022:0446", "initial_release_date": "2022-02-07T13:43:49+00:00", "revision_history": [ { "date": "2022-02-07T13:43:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:43:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-10-09T21:42:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.4.10", "product": { "name": "Red Hat Single Sign-On 7.4.10", "product_id": "Red Hat Single Sign-On 7.4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
CERTFR-2023-AVI-0073
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
IBM | N/A | IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions v3.5 à v4.6.x antérieures à v4.6.2 | ||
IBM | N/A | IBM Cognos Command Center 10.2.4.1 sans le correctif de sécurité Fixpack 1 (disponible prochainement) | ||
IBM | Sterling | IBM Sterling Transformation Extender versions 10.0.0, 10.1, 10.1.1 et 10.1.2 sans le dernier correctif de sécurité |
Title | Publication Time | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions v3.5 \u00e0 v4.6.x ant\u00e9rieures \u00e0 v4.6.2", "product": { "name": "N/A", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Cognos Command Center 10.2.4.1 sans le correctif de s\u00e9curit\u00e9 Fixpack 1 (disponible prochainement)", "product": { "name": "N/A", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Sterling Transformation Extender versions 10.0.0, 10.1, 10.1.1 et 10.1.2 sans le dernier correctif de s\u00e9curit\u00e9", "product": { "name": "Sterling", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2021-35550", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35550" }, { "name": "CVE-2018-11775", "url": "https://www.cve.org/CVERecord?id=CVE-2018-11775" }, { "name": "CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-35517", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35517" }, { "name": "CVE-2021-35603", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35603" }, { "name": "CVE-2021-36090", "url": "https://www.cve.org/CVERecord?id=CVE-2021-36090" }, { "name": "CVE-2022-37601", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37601" }, { "name": "CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "name": "CVE-2017-7525", "url": "https://www.cve.org/CVERecord?id=CVE-2017-7525" }, { "name": "CVE-2021-41035", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41035" }, { "name": "CVE-2022-21434", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21434" }, { "name": "CVE-2022-21294", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21294" }, { "name": "CVE-2022-21341", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21341" }, { "name": "CVE-2021-35578", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35578" }, { "name": "CVE-2022-21293", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21293" }, { "name": "CVE-2020-36518", "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518" }, { "name": "CVE-2022-21248", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21248" }, { "name": "CVE-2022-21496", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21496" }, { "name": "CVE-2022-37599", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37599" }, { "name": "CVE-2022-21443", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21443" } ], "initial_release_date": "2023-01-31T00:00:00", "last_revision_date": "2023-01-31T00:00:00", "links": [], "reference": "CERTFR-2023-AVI-0073", "revisions": [ { "description": "Version initiale", "revision_date": "2023-01-31T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" }, { "description": "\u00c9l\u00e9vation de privil\u00e8ges" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6555376 du 30 janvier 2023", "url": "https://www.ibm.com/support/pages/node/6555376" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6890619 du 30 janvier 2023", "url": "https://www.ibm.com/support/pages/node/6890619" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6890703 du 30 janvier 2023", "url": "https://www.ibm.com/support/pages/node/6890703" } ] }
CERTFR-2022-AVI-717
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
N/A | N/A | Eurotherm Data Reviewer3.0.2 software versions antérieures 4.0.0 | ||
N/A | N/A | Modicon Momentum MDI (171CBU*) toutes versions | ||
Schneider Electric | N/A | EcoStruxure Control Expert versions antérieures à 15.2 | ||
Symfony | process | EcoStruxure Process Expert versions antérieures à 2021 | ||
N/A | N/A | Modicon M580 CPU (BMEP* et BMEH*) versions antérieures à 4.01 | ||
Schneider Electric | N/A | Legacy Modicon Quantum toutes versions | ||
N/A | N/A | OPC UA Modicon Communication Module (BMENUA0100) versions antérieures à 2.01 | ||
Schneider Electric | N/A | Modicon MC80 (BMKC80) toutes versions | ||
Schneider Electric | Modicon M340 | Modicon M340 CPU (BMXP34*) versions antérieures 3.50 |
Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Eurotherm Data Reviewer3.0.2 software versions ant\u00e9rieures 4.0.0", "product": { "name": "N/A", "vendor": { "name": "N/A", "scada": false } } }, { "description": "Modicon Momentum MDI (171CBU*) toutes versions", "product": { "name": "N/A", "vendor": { "name": "N/A", "scada": false } } }, { "description": "EcoStruxure Control Expert versions ant\u00e9rieures \u00e0 15.2", "product": { "name": "N/A", "vendor": { "name": "Schneider Electric", "scada": true } } }, { "description": "EcoStruxure Process Expert versions ant\u00e9rieures \u00e0 2021", "product": { "name": "process", "vendor": { "name": "Symfony", "scada": false } } }, { "description": "Modicon M580 CPU (BMEP* et BMEH*) versions ant\u00e9rieures \u00e0 4.01", "product": { "name": "N/A", "vendor": { "name": "N/A", "scada": false } } }, { "description": "Legacy Modicon Quantum toutes versions", "product": { "name": "N/A", "vendor": { "name": "Schneider Electric", "scada": true } } }, { "description": "OPC UA Modicon Communication Module (BMENUA0100) versions ant\u00e9rieures \u00e0 2.01", "product": { "name": "N/A", "vendor": { "name": "N/A", "scada": false } } }, { "description": "Modicon MC80 (BMKC80) toutes versions", "product": { "name": "N/A", "vendor": { "name": "Schneider Electric", "scada": true } } }, { "description": "Modicon M340 CPU (BMXP34*) versions ant\u00e9rieures 3.50", "product": { "name": "Modicon M340", "vendor": { "name": "Schneider Electric", "scada": true } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2019-6846", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6846" }, { "name": "CVE-2022-34760", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34760" }, { "name": "CVE-2020-35198", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35198" }, { "name": "CVE-2021-22791", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22791" }, { "name": "CVE-2022-34762", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34762" }, { "name": "CVE-2019-6841", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6841" }, { "name": "CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "name": "CVE-2021-22779", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22779" }, { "name": "CVE-2021-22781", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22781" }, { "name": "CVE-2021-22780", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22780" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-22790", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22790" }, { "name": "CVE-2022-37302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37302" }, { "name": "CVE-2022-34761", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34761" }, { "name": "CVE-2022-34759", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34759" }, { "name": "CVE-2022-37301", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37301" }, { "name": "CVE-2018-7241", "url": "https://www.cve.org/CVERecord?id=CVE-2018-7241" }, { "name": "CVE-2021-22786", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22786" }, { "name": "CVE-2018-7242", "url": "https://www.cve.org/CVERecord?id=CVE-2018-7242" }, { "name": "CVE-2019-6844", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6844" }, { "name": "CVE-2019-6842", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6842" }, { "name": "CVE-2021-22782", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22782" }, { "name": "CVE-2021-22778", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22778" }, { "name": "CVE-2022-34764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34764" }, { "name": "CVE-2022-34763", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34763" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2022-37300", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37300" }, { "name": "CVE-2021-22789", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22789" }, { "name": "CVE-2019-6847", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6847" }, { "name": "CVE-2022-34765", "url": "https://www.cve.org/CVERecord?id=CVE-2022-34765" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2021-22792", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22792" }, { "name": "CVE-2019-6843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-6843" }, { "name": "CVE-2018-7240", "url": "https://www.cve.org/CVERecord?id=CVE-2018-7240" }, { "name": "CVE-2011-4859", "url": "https://www.cve.org/CVERecord?id=CVE-2011-4859" }, { "name": "CVE-2020-28895", "url": "https://www.cve.org/CVERecord?id=CVE-2020-28895" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "name": "CVE-2020-12525", "url": "https://www.cve.org/CVERecord?id=CVE-2020-12525" } ], "initial_release_date": "2022-08-09T00:00:00", "last_revision_date": "2022-09-08T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-717", "revisions": [ { "description": "Version initiale", "revision_date": "2022-08-09T00:00:00.000000" }, { "description": "Mise \u00e0 jour des liens", "revision_date": "2022-08-22T00:00:00.000000" }, { "description": "Mise \u00e0 jour des liens des bulletins de s\u00e9curit\u00e9 Schneider SEVD-2022-221-01, SEVD-2022-221-02 et SEVD-2022-221-04 du 9 ao\u00fbt 2022.", "revision_date": "2022-09-08T00:00:00.000000" }, { "description": "Ajout du libell\u00e9 [SCADA] dans le titre.", "revision_date": "2022-09-08T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SESB-2021-347-01 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2021-347-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SESB-2021-347-01_Apache_Log4j_Log4Shell_Vulnerabilities_Security_Notification_V14.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2019-281-02 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2019-281-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2019-281-02_Modicon_Controllers_Security_Notification_V3.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-221-01 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-221-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-221-01_EcoStruxure_Control_Expert_Modicon580_Security_Notification_V1.1.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-193-01 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-01_OPC_UA_X80_Advanced_RTU_Modicon_Communication_Modules_Security_Notification_V3.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-313-05_Badalloc_Vulnerabilities_Security_Notification_V10.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-221-03 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-221-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-221-03_EcoStruxure_Control_Expert_Security_Notification.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-221-02 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-221-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-221-02_Modicon_Controllers_Security_Notification_V1.1.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2018-081-01 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2018-081-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2018-081-01_Embedded_FTP_Servers_for_Modicon_PAC_Controllers_Security_Notification_V3.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-222-04 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-222-04_Modicon_PAC_Controllers_PLC_Simulator_Control_Expert_Process_Expert_Security_Notification_V2.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-01 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-194-01_EcoStruxure_Control_Expert_Process_Expert_SCADAPack_RemoteConnect_Modicon_M580_M340_Security_Notifcation_V4.0.pdf" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-221-04 du 9 ao\u00fbt 2022", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-221-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-221-04-Modicon_Controllers_Ethernet_Modules_Security_Notification_V1.1.pdf" } ] }
CERTFR-2022-AVI-1027
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans IBM Db2. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneTitle | Publication Time | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM Db2 versions 11.5.6 et 11.5.7 sans le correctif de s\u00e9curit\u00e9", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Db2 versions 11.5.x ant\u00e9rieures \u00e0 11.5.8", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" } ], "initial_release_date": "2022-11-14T00:00:00", "last_revision_date": "2022-11-14T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-1027", "revisions": [ { "description": "Version initiale", "revision_date": "2022-11-14T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Db2. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Db2", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6528672 du 11 novembre 2022", "url": "https://www.ibm.com/support/pages/node/6528672" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6526462 du 11 novembre 2022", "url": "https://www.ibm.com/support/pages/node/6526462" } ] }
CERTFR-2021-AVI-951
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64 | ||
Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.4 x86_64 | ||
Red Hat | N/A | Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64 | ||
SolarWinds | Platform | Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le | ||
Red Hat | N/A | Red Hat Integration Text-Only Advisories x86_64 | ||
Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le | ||
Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64 | ||
Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64 | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x | ||
Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64 | ||
Red Hat | N/A | Red Hat Openshift Application Runtimes Text-Only Advisories x86_64 | ||
Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64 | ||
Red Hat | N/A | Red Hat Integration - Camel K 1 x86_64 | ||
SolarWinds | Platform | Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64 | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le | ||
Red Hat | N/A | Red Hat Fuse 1 x86_64 | ||
SolarWinds | Platform | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64 | ||
Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64 | ||
Red Hat | N/A | Red Hat JBoss Data Grid Text-Only Advisories x86_64 |
Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux Server", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux Server", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le", "product": { "name": "Platform", "vendor": { "name": "SolarWinds", "scada": false } } }, { "description": "Red Hat Integration Text-Only Advisories x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le", "product": { "name": "Red Hat CodeReady Linux Builder", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64", "product": { "name": "Red Hat CodeReady Linux Builder", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le", "product": { "name": "Red Hat Enterprise Linux Server", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux Server", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Openshift Application Runtimes Text-Only Advisories x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64", "product": { "name": "Red Hat CodeReady Linux Builder", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Integration - Camel K 1 x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64", "product": { "name": "Platform", "vendor": { "name": "SolarWinds", "scada": false } } }, { "description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Fuse 1 x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x", "product": { "name": "Platform", "vendor": { "name": "SolarWinds", "scada": false } } }, { "description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64", "product": { "name": "Red Hat Enterprise Linux", "vendor": { "name": "Red Hat", "scada": false } } }, { "description": "Red Hat JBoss Data Grid Text-Only Advisories x86_64", "product": { "name": "N/A", "vendor": { "name": "Red Hat", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2020-27223", "url": "https://www.cve.org/CVERecord?id=CVE-2020-27223" }, { "name": "CVE-2020-27218", "url": "https://www.cve.org/CVERecord?id=CVE-2020-27218" }, { "name": "CVE-2021-21343", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343" }, { "name": "CVE-2021-29425", "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425" }, { "name": "CVE-2021-21409", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409" }, { "name": "CVE-2021-22118", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22118" }, { "name": "CVE-2020-2875", "url": "https://www.cve.org/CVERecord?id=CVE-2020-2875" }, { "name": "CVE-2021-3536", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3536" }, { "name": "CVE-2021-28169", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28169" }, { "name": "CVE-2021-21348", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348" }, { "name": "CVE-2020-11988", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11988" }, { "name": "CVE-2020-35510", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35510" }, { "name": "CVE-2021-45606", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45606" }, { "name": "CVE-2020-2934", "url": "https://www.cve.org/CVERecord?id=CVE-2020-2934" }, { "name": "CVE-2021-21344", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344" }, { "name": "CVE-2020-26259", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26259" }, { "name": "CVE-2021-3597", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3597" }, { "name": "CVE-2021-28170", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28170" }, { "name": "CVE-2021-21341", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341" }, { "name": "CVE-2020-13949", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13949" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-3690", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3690" }, { "name": "CVE-2020-17521", "url": "https://www.cve.org/CVERecord?id=CVE-2020-17521" }, { "name": "CVE-2021-22696", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22696" }, { "name": "CVE-2021-28163", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28163" }, { "name": "CVE-2021-37137", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137" }, { "name": "CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "name": "CVE-2021-21347", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347" }, { "name": "CVE-2021-27568", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27568" }, { "name": "CVE-2020-26217", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26217" }, { "name": "CVE-2021-37136", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136" }, { "name": "CVE-2021-23926", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23926" }, { "name": "CVE-2019-10744", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10744" }, { "name": "CVE-2021-21295", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21295" }, { "name": "CVE-2021-21346", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346" }, { "name": "CVE-2021-30468", "url": "https://www.cve.org/CVERecord?id=CVE-2021-30468" }, { "name": "CVE-2021-21351", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351" }, { "name": "CVE-2021-21345", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345" }, { "name": "CVE-2020-28491", "url": "https://www.cve.org/CVERecord?id=CVE-2020-28491" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2021-37714", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37714" }, { "name": "CVE-2019-12415", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12415" }, { "name": "CVE-2021-20218", "url": "https://www.cve.org/CVERecord?id=CVE-2021-20218" }, { "name": "CVE-2020-27782", "url": "https://www.cve.org/CVERecord?id=CVE-2020-27782" }, { "name": "CVE-2021-30129", "url": "https://www.cve.org/CVERecord?id=CVE-2021-30129" }, { "name": "CVE-2020-17527", "url": "https://www.cve.org/CVERecord?id=CVE-2020-17527" }, { "name": "CVE-2021-21349", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2020-13943", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13943" }, { "name": "CVE-2020-15522", "url": "https://www.cve.org/CVERecord?id=CVE-2020-15522" }, { "name": "CVE-2021-28164", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164" }, { "name": "CVE-2020-11987", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11987" }, { "name": "CVE-2021-21290", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21290" }, { "name": "CVE-2021-21342", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342" }, { "name": "CVE-2021-3629", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3629" }, { "name": "CVE-2021-21350", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350" }, { "name": "CVE-2021-34428", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34428" } ], "initial_release_date": "2021-12-15T00:00:00", "last_revision_date": "2021-12-15T00:00:00", "links": [ { "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5101 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHBA-2021:5101" } ], "reference": "CERTFR-2021-AVI-951", "revisions": [ { "description": "Version initiale", "revision_date": "2021-12-15T00:00:00.000000" } ], "risks": [ { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "D\u00e9ni de service" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" }, { "description": "\u00c9l\u00e9vation de privil\u00e8ges" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de\nRedHat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service et une\natteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de RedHat", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5130 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5130" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHBA-2021:5114 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHBA-2021:5114" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5138 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5138" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5132 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5132" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5126 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5126" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5134 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5134" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5133 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5133" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5108 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5108" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5093 du 14 d\u00e9cembre 2021", "url": "https://access.redhat.com/errata/RHSA-2021:5093" } ] }
CERTFR-2022-AVI-056
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Oracle WebLogic Server. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneTitle | Publication Time | Tags | |||
---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 et 14.1.1.0.0", "product": { "name": "Weblogic", "vendor": { "name": "Oracle", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2021-29425", "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425" }, { "name": "CVE-2022-21371", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21371" }, { "name": "CVE-2022-21252", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21252" }, { "name": "CVE-2020-13956", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13956" }, { "name": "CVE-2022-21292", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21292" }, { "name": "CVE-2020-2934", "url": "https://www.cve.org/CVERecord?id=CVE-2020-2934" }, { "name": "CVE-2022-21257", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21257" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2022-21347", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21347" }, { "name": "CVE-2022-21361", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21361" }, { "name": "CVE-2022-21260", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21260" }, { "name": "CVE-2022-21258", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21258" }, { "name": "CVE-2021-27568", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27568" }, { "name": "CVE-2018-1324", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1324" }, { "name": "CVE-2022-21259", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21259" }, { "name": "CVE-2019-10219", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10219" }, { "name": "CVE-2022-21353", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21353" }, { "name": "CVE-2022-21306", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21306" }, { "name": "CVE-2022-21350", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21350" }, { "name": "CVE-2022-21262", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21262" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "name": "CVE-2022-21386", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21386" }, { "name": "CVE-2022-21261", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21261" }, { "name": "CVE-2020-5258", "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258" }, { "name": "CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" } ], "initial_release_date": "2022-01-19T00:00:00", "last_revision_date": "2022-01-19T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-056", "revisions": [ { "description": "Version initiale", "revision_date": "2022-01-19T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle WebLogic\nServer. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle WebLogic Server", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujan2022.html du 18 janvier 2022", "url": "https://www.oracle.com/security-alerts/cpujan2022.html#AppendixFMW" } ] }
CERTFR-2022-AVI-712
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans IBM QRadar SIEM. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
IBM | QRadar SIEM | IBM QRadar User Behavior Analytics versions antérieures à 4.1.8 |
Title | Publication Time | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM QRadar User Behavior Analytics versions ant\u00e9rieures \u00e0 4.1.8", "product": { "name": "QRadar SIEM", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2021-41182", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41182" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-23445", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23445" }, { "name": "CVE-2021-41184", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41184" }, { "name": "CVE-2021-41183", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41183" }, { "name": "CVE-2021-29489", "url": "https://www.cve.org/CVERecord?id=CVE-2021-29489" } ], "initial_release_date": "2022-08-08T00:00:00", "last_revision_date": "2022-08-08T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-712", "revisions": [ { "description": "Version initiale", "revision_date": "2022-08-08T00:00:00.000000" } ], "risks": [ { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar SIEM.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar SIEM", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6610741 du 05 ao\u00fbt 2022", "url": "https://www.ibm.com/support/pages/node/6610741" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6610729 du 05 ao\u00fbt 2022", "url": "https://www.ibm.com/support/pages/node/6610729" } ] }
CERTFR-2022-AVI-755
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans IBM Spectrum. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneTitle | Publication Time | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM Spectrum Control versions 5.4.x ant\u00e9rieures \u00e0 5.4.8", "product": { "name": "Spectrum", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Spectrum Discover versions 2.0.4.x ant\u00e9rieures \u00e0 2.0.4.5", "product": { "name": "Spectrum", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2022-2068", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2068" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "name": "CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "name": "CVE-2021-41092", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41092" }, { "name": "CVE-2022-22475", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22475" }, { "name": "CVE-2022-2097", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2097" }, { "name": "CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" } ], "initial_release_date": "2022-08-19T00:00:00", "last_revision_date": "2022-08-19T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-755", "revisions": [ { "description": "Version initiale", "revision_date": "2022-08-19T00:00:00.000000" } ], "risks": [ { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6568675 du 18 ao\u00fbt 2022", "url": "https://www.ibm.com/support/pages/node/6568675" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6613565 du 18 ao\u00fbt 2022", "url": "https://www.ibm.com/support/pages/node/6613565" } ] }
CERTFR-2023-AVI-0910
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans IBM QRadar. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneTitle | Publication Time | Tags | |||
---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF01", "product": { "name": "QRadar", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2020-9493", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9493" }, { "name": "CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "name": "CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "name": "CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "name": "CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "name": "CVE-2023-24329", "url": "https://www.cve.org/CVERecord?id=CVE-2023-24329" }, { "name": "CVE-2023-43041", "url": "https://www.cve.org/CVERecord?id=CVE-2023-43041" } ], "initial_release_date": "2023-11-03T00:00:00", "last_revision_date": "2023-11-03T00:00:00", "links": [], "reference": "CERTFR-2023-AVI-0910", "revisions": [ { "description": "Version initiale", "revision_date": "2023-11-03T00:00:00.000000" } ], "risks": [ { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7060803 du 27 octobre 2023", "url": "https://www.ibm.com/support/pages/node/7060803" } ] }
CERTFR-2024-AVI-0419
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
IBM | QRadar User Behavior Analytics | QRadar User Behavior Analytics versions antérieures à 4.1.16 | ||
IBM | QRadar SIEM | IBM QRadar SIEM versions 7.5.x sans le dernier correctif de sécurité | ||
IBM | WebSphere | WebSphere Extreme Scale versions 8.6.1.x antérieures à 8.6.1.6 avec le correctif de sécurité PH61189 |
Title | Publication Time | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "QRadar User Behavior Analytics versions ant\u00e9rieures \u00e0 4.1.16", "product": { "name": "QRadar User Behavior Analytics", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM QRadar SIEM versions 7.5.x sans le dernier correctif de s\u00e9curit\u00e9", "product": { "name": "QRadar SIEM", "vendor": { "name": "IBM", "scada": false } } }, { "description": "WebSphere Extreme Scale versions 8.6.1.x ant\u00e9rieures \u00e0 8.6.1.6 avec le correctif de s\u00e9curit\u00e9 PH61189", "product": { "name": "WebSphere", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2024-20919", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20919" }, { "name": "CVE-2024-1597", "url": "https://www.cve.org/CVERecord?id=CVE-2024-1597" }, { "name": "CVE-2024-28849", "url": "https://www.cve.org/CVERecord?id=CVE-2024-28849" }, { "name": "CVE-2023-31582", "url": "https://www.cve.org/CVERecord?id=CVE-2023-31582" }, { "name": "CVE-2023-46234", "url": "https://www.cve.org/CVERecord?id=CVE-2023-46234" }, { "name": "CVE-2024-20926", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20926" }, { "name": "CVE-2023-26464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26464" }, { "name": "CVE-2022-25647", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25647" }, { "name": "CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "name": "CVE-2024-20921", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20921" }, { "name": "CVE-2023-34462", "url": "https://www.cve.org/CVERecord?id=CVE-2023-34462" }, { "name": "CVE-2020-13936", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13936" }, { "name": "CVE-2023-34454", "url": "https://www.cve.org/CVERecord?id=CVE-2023-34454" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2023-34453", "url": "https://www.cve.org/CVERecord?id=CVE-2023-34453" }, { "name": "CVE-2023-3635", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3635" }, { "name": "CVE-2023-25613", "url": "https://www.cve.org/CVERecord?id=CVE-2023-25613" }, { "name": "CVE-2023-41419", "url": "https://www.cve.org/CVERecord?id=CVE-2023-41419" }, { "name": "CVE-2020-9493", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9493" }, { "name": "CVE-2018-11770", "url": "https://www.cve.org/CVERecord?id=CVE-2018-11770" }, { "name": "CVE-2018-11804", "url": "https://www.cve.org/CVERecord?id=CVE-2018-11804" }, { "name": "CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "name": "CVE-2023-22946", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22946" }, { "name": "CVE-2024-22195", "url": "https://www.cve.org/CVERecord?id=CVE-2024-22195" }, { "name": "CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "name": "CVE-2023-34455", "url": "https://www.cve.org/CVERecord?id=CVE-2023-34455" }, { "name": "CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "name": "CVE-2022-46751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46751" }, { "name": "CVE-2023-51775", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51775" }, { "name": "CVE-2023-44981", "url": "https://www.cve.org/CVERecord?id=CVE-2023-44981" }, { "name": "CVE-2023-33850", "url": "https://www.cve.org/CVERecord?id=CVE-2023-33850" }, { "name": "CVE-2023-6481", "url": "https://www.cve.org/CVERecord?id=CVE-2023-6481" }, { "name": "CVE-2023-6378", "url": "https://www.cve.org/CVERecord?id=CVE-2023-6378" }, { "name": "CVE-2018-17190", "url": "https://www.cve.org/CVERecord?id=CVE-2018-17190" }, { "name": "CVE-2023-26145", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26145" }, { "name": "CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "name": "CVE-2024-20918", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20918" }, { "name": "CVE-2024-29180", "url": "https://www.cve.org/CVERecord?id=CVE-2024-29180" }, { "name": "CVE-2024-20945", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20945" }, { "name": "CVE-2023-31486", "url": "https://www.cve.org/CVERecord?id=CVE-2023-31486" }, { "name": "CVE-2023-26159", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159" }, { "name": "CVE-2024-20952", "url": "https://www.cve.org/CVERecord?id=CVE-2024-20952" }, { "name": "CVE-2017-16137", "url": "https://www.cve.org/CVERecord?id=CVE-2017-16137" } ], "initial_release_date": "2024-05-17T00:00:00", "last_revision_date": "2024-05-17T00:00:00", "links": [], "reference": "CERTFR-2024-AVI-0419", "revisions": [ { "description": "Version initiale", "revision_date": "2024-05-17T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Injection de code indirecte \u00e0 distance (XSS)" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" }, { "description": "\u00c9l\u00e9vation de privil\u00e8ges" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0\ndistance.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150929 du 10 mai 2024", "url": "https://www.ibm.com/support/pages/node/7150929" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7152257 du 15 mai 2024", "url": "https://www.ibm.com/support/pages/node/7152257" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7152260 du 15 mai 2024", "url": "https://www.ibm.com/support/pages/node/7152260" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7152258 du 15 mai 2024", "url": "https://www.ibm.com/support/pages/node/7152258" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150844 du 10 mai 2024", "url": "https://www.ibm.com/support/pages/node/7150844" } ] }
CERTFR-2024-AVI-0027
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Juniper Networks. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
Juniper Networks | N/A | CTPView versions versions antérieures à 9.1R5 | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved version antérieures à 20.4R2-EVO, 20.4R2-S2-EVO, 20.4R3-EVO, 20.4R3-S7-EVO, 21.1R2-EVO, 21.2R2-EVO, 21.2R3-S7-EVO, 21.3R2-EVO, 21.3R3-S5-EVO, 21.4R3-EVO, 21.4R3-S3-EVO, 21.4R3-S5-EVO, 21.4R3-S6-EVO, 22.1R3-EVO, 22.1R3-S2-EVO, 22.1R3-S4-EVO, 22.1R3-S5-EVO, 22.2R2-S1-EVO, 22.2R2-S2-EVO, 22.2R3-EVO, 22.2R3-S2-EVO, 22.2R3-S3-EVO, 22.3R1-EVO, 22.3R2-EVO, 22.3R3-EVO, 22.3R3-S1-EVO, 22.4R1-EVO, 22.4R2-EVO, 22.4R2-S2-EVO, 22.4R3-EVO, 23.1R2-EVO, 23.2R1-EVO, 23.2R1-S1-EVO, 23.2R1-S2-EVO, 23.2R2-EVO, 23.3R1-EVO et 23.4R1-EVO | ||
Juniper Networks | N/A | Paragon Active Assurance versions antérieures à 3.1.2, 3.2.3, 3.3.2 et 3.4.1 | ||
Juniper Networks | Junos OS | Junos OS version antérieures à 20.4R3-S3, 20.4R3-S6, 20.4R3-S7, 20.4R3-S8, 20.4R3-S9, 21.1R3-S4, 21.1R3-S5, 21.2R3, 21.2R3-S3, 21.2R3-S4, 21.2R3-S5, 21.2R3-S6, 21.2R3-S7, 21.3R2-S1, 21.3R3, 21.3R3-S3, 21.3R3-S4, 21.3R3-S5, 21.4R2, 21.4R3, 21.4R3-S3, 21.4R3-S4, 21.4R3-S5, 22.1R2, 22.1R2-S2, 22.1R3, 22.1R3-S1, 22.1R3-S2, 22.1R3-S3, 22.1R3-S4, 22.2R1, 22.2R2, 22.2R2-S1, 22.2R2-S2, 22.2R3, 22.2R3-S1, 22.2R3-S2, 22.2R3-S3, 22.3R1, 22.3R2, 22.3R2-S1, 22.3R2-S2, 22.3R3, 22.3R3-S1, 22.3R3-S2, 22.4R1, 22.4R1-S2, 22.4R2, 22.4R2-S1, 22.4R2-S2, 22.4R3, 23.1R1, 23.1R2, 23.2R1, 23.2R1-S1, 23.2R1-S2, 23.2R2, 23.3R1 et 23.4R1 | ||
Juniper Networks | Session Smart Router | Session Smart Router versions antérieures à SSR-6.2.3-r2 | ||
Juniper Networks | N/A | Security Director Insights versions antérieures à 23.1R1 |
Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "CTPView versions versions ant\u00e9rieures \u00e0 9.1R5", "product": { "name": "N/A", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved version ant\u00e9rieures \u00e0 20.4R2-EVO, 20.4R2-S2-EVO, 20.4R3-EVO, 20.4R3-S7-EVO, 21.1R2-EVO, 21.2R2-EVO, 21.2R3-S7-EVO, 21.3R2-EVO, 21.3R3-S5-EVO, 21.4R3-EVO, 21.4R3-S3-EVO, 21.4R3-S5-EVO, 21.4R3-S6-EVO, 22.1R3-EVO, 22.1R3-S2-EVO, 22.1R3-S4-EVO, 22.1R3-S5-EVO, 22.2R2-S1-EVO, 22.2R2-S2-EVO, 22.2R3-EVO, 22.2R3-S2-EVO, 22.2R3-S3-EVO, 22.3R1-EVO, 22.3R2-EVO, 22.3R3-EVO, 22.3R3-S1-EVO, 22.4R1-EVO, 22.4R2-EVO, 22.4R2-S2-EVO, 22.4R3-EVO, 23.1R2-EVO, 23.2R1-EVO, 23.2R1-S1-EVO, 23.2R1-S2-EVO, 23.2R2-EVO, 23.3R1-EVO et 23.4R1-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Paragon Active Assurance versions ant\u00e9rieures \u00e0 3.1.2, 3.2.3, 3.3.2 et 3.4.1", "product": { "name": "N/A", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS version ant\u00e9rieures \u00e0 20.4R3-S3, 20.4R3-S6, 20.4R3-S7, 20.4R3-S8, 20.4R3-S9, 21.1R3-S4, 21.1R3-S5, 21.2R3, 21.2R3-S3, 21.2R3-S4, 21.2R3-S5, 21.2R3-S6, 21.2R3-S7, 21.3R2-S1, 21.3R3, 21.3R3-S3, 21.3R3-S4, 21.3R3-S5, 21.4R2, 21.4R3, 21.4R3-S3, 21.4R3-S4, 21.4R3-S5, 22.1R2, 22.1R2-S2, 22.1R3, 22.1R3-S1, 22.1R3-S2, 22.1R3-S3, 22.1R3-S4, 22.2R1, 22.2R2, 22.2R2-S1, 22.2R2-S2, 22.2R3, 22.2R3-S1, 22.2R3-S2, 22.2R3-S3, 22.3R1, 22.3R2, 22.3R2-S1, 22.3R2-S2, 22.3R3, 22.3R3-S1, 22.3R3-S2, 22.4R1, 22.4R1-S2, 22.4R2, 22.4R2-S1, 22.4R2-S2, 22.4R3, 23.1R1, 23.1R2, 23.2R1, 23.2R1-S1, 23.2R1-S2, 23.2R2, 23.3R1 et 23.4R1", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Session Smart Router versions ant\u00e9rieures \u00e0 SSR-6.2.3-r2", "product": { "name": "Session Smart Router", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Security Director Insights versions ant\u00e9rieures \u00e0 23.1R1", "product": { "name": "N/A", "vendor": { "name": "Juniper Networks", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2022-3707", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3707" }, { "name": "CVE-2024-21602", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21602" }, { "name": "CVE-2022-41974", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41974" }, { "name": "CVE-2023-38802", "url": "https://www.cve.org/CVERecord?id=CVE-2023-38802" }, { "name": "CVE-2023-21938", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21938" }, { "name": "CVE-2023-21843", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21843" }, { "name": "CVE-2022-42720", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42720" }, { "name": "CVE-2022-30594", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30594" }, { "name": "CVE-2022-41973", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41973" }, { "name": "CVE-2023-0461", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0461" }, { "name": "CVE-2024-21616", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21616" }, { "name": "CVE-2021-25220", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25220" }, { "name": "CVE-2023-2235", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2235" }, { "name": "CVE-2023-23454", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23454" }, { "name": "CVE-2023-21954", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21954" }, { "name": "CVE-2022-2964", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2964" }, { "name": "CVE-2023-21939", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21939" }, { "name": "CVE-2023-1281", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1281" }, { "name": "CVE-2024-21599", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21599" }, { "name": "CVE-2022-47929", "url": "https://www.cve.org/CVERecord?id=CVE-2022-47929" }, { "name": "CVE-2022-3628", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3628" }, { "name": "CVE-2024-21614", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21614" }, { "name": "CVE-2023-21830", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21830" }, { "name": "CVE-2023-3817", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3817" }, { "name": "CVE-2023-26464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26464" }, { "name": "CVE-2020-0466", "url": "https://www.cve.org/CVERecord?id=CVE-2020-0466" }, { "name": "CVE-2021-26691", "url": "https://www.cve.org/CVERecord?id=CVE-2021-26691" }, { "name": "CVE-2022-4269", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4269" }, { "name": "CVE-2022-42703", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42703" }, { "name": "CVE-2024-21607", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21607" }, { "name": "CVE-2023-0286", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0286" }, { "name": "CVE-2023-32067", "url": "https://www.cve.org/CVERecord?id=CVE-2023-32067" }, { "name": "CVE-2023-0266", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0266" }, { "name": "CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "name": "CVE-2022-39189", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39189" }, { "name": "CVE-2022-3239", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3239" }, { "name": "CVE-2022-43750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43750" }, { "name": "CVE-2022-3567", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3567" }, { "name": "CVE-2023-2828", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2828" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2023-22081", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22081" }, { "name": "CVE-2023-20569", "url": "https://www.cve.org/CVERecord?id=CVE-2023-20569" }, { "name": "CVE-2024-21596", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21596" }, { "name": "CVE-2022-3564", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3564" }, { "name": "CVE-2021-33656", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33656" }, { "name": "CVE-2023-1582", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1582" }, { "name": "CVE-2022-4129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4129" }, { "name": "CVE-2022-41218", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41218" }, { "name": "CVE-2023-2194", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2194" }, { "name": "CVE-2024-21604", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21604" }, { "name": "CVE-2023-32360", "url": "https://www.cve.org/CVERecord?id=CVE-2023-32360" }, { "name": "CVE-2022-0934", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0934" }, { "name": "CVE-2020-9493", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9493" }, { "name": "CVE-2021-3573", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3573" }, { "name": "CVE-2022-2196", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2196" }, { "name": "CVE-2021-39275", "url": "https://www.cve.org/CVERecord?id=CVE-2021-39275" }, { "name": "CVE-2022-42896", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42896" }, { "name": "CVE-2022-21699", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21699" }, { "name": "CVE-2024-21600", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21600" }, { "name": "CVE-2021-33655", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33655" }, { "name": "CVE-2023-0767", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0767" }, { "name": "CVE-2022-1462", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1462" }, { "name": "CVE-2023-23920", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23920" }, { "name": "CVE-2023-20593", "url": "https://www.cve.org/CVERecord?id=CVE-2023-20593" }, { "name": "CVE-2024-21606", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21606" }, { "name": "CVE-2022-0330", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0330" }, { "name": "CVE-2022-41222", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41222" }, { "name": "CVE-2016-10009", "url": "https://www.cve.org/CVERecord?id=CVE-2016-10009" }, { "name": "CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "name": "CVE-2022-2663", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2663" }, { "name": "CVE-2023-23918", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23918" }, { "name": "CVE-2024-21591", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21591" }, { "name": "CVE-2020-12321", "url": "https://www.cve.org/CVERecord?id=CVE-2020-12321" }, { "name": "CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "name": "CVE-2022-3524", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3524" }, { "name": "CVE-2022-39188", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39188" }, { "name": "CVE-2023-3341", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3341" }, { "name": "CVE-2022-37434", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37434" }, { "name": "CVE-2022-2795", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2795" }, { "name": "CVE-2022-22942", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22942" }, { "name": "CVE-2022-43945", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43945" }, { "name": "CVE-2022-3625", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3625" }, { "name": "CVE-2021-34798", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34798" }, { "name": "CVE-2024-21587", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21587" }, { "name": "CVE-2022-42721", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42721" }, { "name": "CVE-2022-4378", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4378" }, { "name": "CVE-2022-4254", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4254" }, { "name": "CVE-2024-21617", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21617" }, { "name": "CVE-2023-1195", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1195" }, { "name": "CVE-2024-21589", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21589" }, { "name": "CVE-2023-21937", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21937" }, { "name": "CVE-2023-22809", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22809" }, { "name": "CVE-2022-20141", "url": "https://www.cve.org/CVERecord?id=CVE-2022-20141" }, { "name": "CVE-2021-4155", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4155" }, { "name": "CVE-2023-2650", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2650" }, { "name": "CVE-2024-21595", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21595" }, { "name": "CVE-2021-3564", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3564" }, { "name": "CVE-2021-3621", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3621" }, { "name": "CVE-2023-0394", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0394" }, { "name": "CVE-2022-22164", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22164" }, { "name": "CVE-2024-21597", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21597" }, { "name": "CVE-2021-3752", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3752" }, { "name": "CVE-2023-0386", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0386" }, { "name": "CVE-2016-2183", "url": "https://www.cve.org/CVERecord?id=CVE-2016-2183" }, { "name": "CVE-2021-26341", "url": "https://www.cve.org/CVERecord?id=CVE-2021-26341" }, { "name": "CVE-2022-38023", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38023" }, { "name": "CVE-2023-22045", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045" }, { "name": "CVE-2022-1679", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1679" }, { "name": "CVE-2023-22049", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049" }, { "name": "CVE-2023-38408", "url": "https://www.cve.org/CVERecord?id=CVE-2023-38408" }, { "name": "CVE-2022-3619", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3619" }, { "name": "CVE-2021-0920", "url": "https://www.cve.org/CVERecord?id=CVE-2021-0920" }, { "name": "CVE-2023-1829", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1829" }, { "name": "CVE-2022-25265", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25265" }, { "name": "CVE-2022-1789", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1789" }, { "name": "CVE-2022-2873", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2873" }, { "name": "CVE-2022-3623", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3623" }, { "name": "CVE-2024-21611", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21611" }, { "name": "CVE-2024-21613", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21613" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2023-21968", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21968" }, { "name": "CVE-2024-21612", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21612" }, { "name": "CVE-2022-42722", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42722" }, { "name": "CVE-2024-21603", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21603" }, { "name": "CVE-2023-21930", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21930" }, { "name": "CVE-2024-21585", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21585" }, { "name": "CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "name": "CVE-2023-24329", "url": "https://www.cve.org/CVERecord?id=CVE-2023-24329" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "name": "CVE-2021-44790", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44790" }, { "name": "CVE-2023-36842", "url": "https://www.cve.org/CVERecord?id=CVE-2023-36842" }, { "name": "CVE-2022-4139", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4139" }, { "name": "CVE-2024-21594", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21594" }, { "name": "CVE-2022-3028", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3028" }, { "name": "CVE-2022-3566", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3566" }, { "name": "CVE-2023-3446", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3446" }, { "name": "CVE-2023-21967", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21967" }, { "name": "CVE-2022-41674", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41674" }, { "name": "CVE-2024-21601", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21601" }, { "name": "CVE-2023-2124", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2124" }, { "name": "CVE-2020-0465", "url": "https://www.cve.org/CVERecord?id=CVE-2020-0465" } ], "initial_release_date": "2024-01-11T00:00:00", "last_revision_date": "2024-01-11T00:00:00", "links": [], "reference": "CERTFR-2024-AVI-0027", "revisions": [ { "description": "Version initiale", "revision_date": "2024-01-11T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" }, { "description": "\u00c9l\u00e9vation de privil\u00e8ges" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nJuniper Networks. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Juniper Networks", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75723 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-rpd-process-crash-due-to-BGP-flap-on-NSR-enabled-devices-CVE-2024-21585" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75741 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-PTX-Series-In-an-FTI-scenario-MPLS-packets-hitting-reject-next-hop-will-cause-a-host-path-wedge-condition-CVE-2024-21600" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75752 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-In-a-jflow-scenario-continuous-route-churn-will-cause-a-memory-leak-and-eventually-an-rpd-crash-CVE-2024-21611" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75757 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Processing-of-a-specific-SIP-packet-causes-NAT-IP-allocation-to-fail-CVE-2024-21616" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75730 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-jdhcpd-will-hang-on-receiving-a-specific-DHCP-packet-CVE-2023-36842" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75734 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-EX4100-EX4400-EX4600-and-QFX5000-Series-A-high-rate-of-specific-ICMP-traffic-will-cause-the-PFE-to-hang-CVE-2024-21595" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75737 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Security-Director-Insights-Multiple-vulnerabilities-in-SDI" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75721 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Evolved-IPython-privilege-escalation-vulnerability-CVE-2022-21699" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75736 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-CTPView-Multiple-vulnerabilities-in-CTPView-CVE-yyyy-nnnn" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75747 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-flowd-will-crash-when-tcp-encap-is-enabled-and-specific-packets-are-received-CVE-2024-21606" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75758 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-BGP-flap-on-NSR-enabled-devices-causes-memory-leak-CVE-2024-21617" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA11272 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos-OS-Evolved-Telnet-service-may-be-enabled-when-it-is-expected-to-be-disabled-CVE-2022-22164" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75727 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Paragon-Active-Assurance-Control-Center-Information-disclosure-vulnerability-CVE-2024-21589" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75233 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Session-Smart-Router-Multiple-vulnerabilities-resolved" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75754 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-A-link-flap-causes-patroot-memory-leak-which-leads-to-rpd-crash-CVE-2024-21613" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75753 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Evolved-Specific-TCP-traffic-causes-OFP-core-and-restart-of-RE-CVE-2024-21612" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75742 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-Due-to-an-error-in-processing-TCP-events-flowd-will-crash-CVE-2024-21601" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75740 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-MX-Series-MPC3E-memory-leak-with-PTP-configuration-CVE-2024-21599" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75748 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-MX-Series-and-EX9200-Series-If-the-tcp-reset-option-used-in-an-IPv6-filter-matched-packets-are-accepted-instead-of-rejected-CVE-2024-21607" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75744 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-MX-Series-Gathering-statistics-in-a-scaled-SCU-DCU-configuration-will-lead-to-a-device-crash-CVE-2024-21603" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75743 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Evolved-ACX7024-ACX7100-32C-and-ACX7100-48L-Traffic-stops-when-a-specific-IPv4-UDP-packet-is-received-by-the-RE-CVE-2024-21602" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75738 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-MX-Series-In-an-AF-scenario-traffic-can-bypass-configured-lo0-firewall-filters-CVE-2024-21597" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75733 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-5000-Series-Repeated-execution-of-a-specific-CLI-command-causes-a-flowd-crash-CVE-2024-21594" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75725 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Memory-leak-in-bbe-smgd-process-if-BFD-liveness-detection-for-DHCP-subscribers-is-enabled-CVE-2024-21587" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75755 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-A-specific-query-via-DREND-causes-rpd-crash-CVE-2024-21614" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75735 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-A-specific-BGP-UPDATE-message-will-cause-a-crash-in-the-backup-Routing-Engine-CVE-2024-21596" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75745 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-Evolved-A-high-rate-of-specific-traffic-will-cause-a-complete-system-outage-CVE-2024-21604" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75729 du 10 janvier 2024", "url": "https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591" } ] }
CERTFR-2022-AVI-526
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une exécution de code arbitraire et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
IBM | Db2 | IBM Db2 versions 11.5.x antérieures à 11.5.7 sans le dernier correctif de sécurité | ||
IBM | Db2 | IBM Db2 versions 10.5.x antérieures à 10.5 FP11 | ||
IBM | Db2 | IBM Db2 versions 11.1.x antérieures à 11.1.4 FP6 | ||
IBM | Db2 | IBM Db2 versions 11.5.x antérieures à 11.5.6 sans le dernier correctif de sécurité |
Title | Publication Time | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM Db2 versions 11.5.x ant\u00e9rieures \u00e0 11.5.7 sans le dernier correctif de s\u00e9curit\u00e9", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Db2 versions 10.5.x ant\u00e9rieures \u00e0 10.5 FP11", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Db2 versions 11.1.x ant\u00e9rieures \u00e0 11.1.4 FP6", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM Db2 versions 11.5.x ant\u00e9rieures \u00e0 11.5.6 sans le dernier correctif de s\u00e9curit\u00e9", "product": { "name": "Db2", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" } ], "initial_release_date": "2022-06-08T00:00:00", "last_revision_date": "2022-06-08T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-526", "revisions": [ { "description": "Version initiale", "revision_date": "2022-06-08T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, une ex\u00e9cution de code\narbitraire et un d\u00e9ni de service \u00e0 distance.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6528672 du 06 juin 2022", "url": "https://www.ibm.com/support/pages/node/6528672" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6528678 du 07 juin 2022", "url": "https://www.ibm.com/support/pages/node/6528678" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6526462 du 06 juin 2022", "url": "https://www.ibm.com/support/pages/node/6526462" } ] }
CERTFR-2025-AVI-0855
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Juniper Networks. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Vendor | Product | Description | ||
---|---|---|---|---|
Juniper Networks | Junos OS | Junos OS versions 24.4 antérieures à 24.4R2 | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved versions antérieures à 22.4R3-S8-EVO | ||
Juniper Networks | Junos OS | Junos OS versions 23.4 antérieures à 23.4R2-S5 | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved versions 23.2-EVO antérieures à 23.2R2-S4-EVO | ||
Juniper Networks | Junos OS | Junos OS versions antérieures à 22.4R3-S8 | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved versions 24.2-EVO antérieures à 24.2R2-S2-EVO | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved versions 24.4-EVO antérieures à 24.4R2-EVO | ||
Juniper Networks | Junos Space | Junos Space versions antérieures à 24.1R4 | ||
Juniper Networks | Security Director | Security Director Policy Enforcer versions antérieures à 23.1R1 Hotpatch v3 | ||
Juniper Networks | Junos Space | Junos Space Security Director versions antérieures à 24.1R4 | ||
Juniper Networks | Junos OS Evolved | Junos OS Evolved versions 23.4-EVO antérieures à 23.4R2-S5-EVO | ||
Juniper Networks | Junos OS | Junos OS versions 23.2 antérieures à 23.2R2-S4 | ||
Juniper Networks | Junos OS | Junos OS versions 24.2 antérieures à 24.2R2-S1 |
Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Junos OS versions 24.4 ant\u00e9rieures \u00e0 24.4R2", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved versions ant\u00e9rieures \u00e0 22.4R3-S8-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS versions 23.4 ant\u00e9rieures \u00e0 23.4R2-S5", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved versions 23.2-EVO ant\u00e9rieures \u00e0 23.2R2-S4-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS versions ant\u00e9rieures \u00e0 22.4R3-S8", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved versions 24.2-EVO ant\u00e9rieures \u00e0 24.2R2-S2-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved versions 24.4-EVO ant\u00e9rieures \u00e0 24.4R2-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos Space versions ant\u00e9rieures \u00e0 24.1R4", "product": { "name": "Junos Space", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Security Director Policy Enforcer versions ant\u00e9rieures \u00e0 23.1R1 Hotpatch v3", "product": { "name": "Security Director", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos Space Security Director versions ant\u00e9rieures \u00e0 24.1R4", "product": { "name": "Junos Space", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS Evolved versions 23.4-EVO ant\u00e9rieures \u00e0 23.4R2-S5-EVO", "product": { "name": "Junos OS Evolved", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS versions 23.2 ant\u00e9rieures \u00e0 23.2R2-S4", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } }, { "description": "Junos OS versions 24.2 ant\u00e9rieures \u00e0 24.2R2-S1", "product": { "name": "Junos OS", "vendor": { "name": "Juniper Networks", "scada": false } } } ], "affected_systems_content": "", "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).", "cves": [ { "name": "CVE-2024-24795", "url": "https://www.cve.org/CVERecord?id=CVE-2024-24795" }, { "name": "CVE-2024-36903", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36903" }, { "name": "CVE-2023-44431", "url": "https://www.cve.org/CVERecord?id=CVE-2023-44431" }, { "name": "CVE-2021-47606", "url": "https://www.cve.org/CVERecord?id=CVE-2021-47606" }, { "name": "CVE-2025-59993", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59993" }, { "name": "CVE-2025-59997", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59997" }, { "name": "CVE-2023-7104", "url": "https://www.cve.org/CVERecord?id=CVE-2023-7104" }, { "name": "CVE-2025-59995", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59995" }, { "name": "CVE-2024-21235", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21235" }, { "name": "CVE-2023-28466", "url": "https://www.cve.org/CVERecord?id=CVE-2023-28466" }, { "name": "CVE-2024-36921", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36921" }, { "name": "CVE-2025-59986", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59986" }, { "name": "CVE-2025-60009", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60009" }, { "name": "CVE-2025-59989", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59989" }, { "name": "CVE-2024-26897", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26897" }, { "name": "CVE-2023-46103", "url": "https://www.cve.org/CVERecord?id=CVE-2023-46103" }, { "name": "CVE-2024-27052", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27052" }, { "name": "CVE-2023-2235", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2235" }, { "name": "CVE-2025-59999", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59999" }, { "name": "CVE-2025-59994", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59994" }, { "name": "CVE-2024-4076", "url": "https://www.cve.org/CVERecord?id=CVE-2024-4076" }, { "name": "CVE-2025-59967", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59967" }, { "name": "CVE-2022-24805", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24805" }, { "name": "CVE-2024-12797", "url": "https://www.cve.org/CVERecord?id=CVE-2024-12797" }, { "name": "CVE-2023-3390", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3390" }, { "name": "CVE-2024-37356", "url": "https://www.cve.org/CVERecord?id=CVE-2024-37356" }, { "name": "CVE-2024-47538", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47538" }, { "name": "CVE-2023-4004", "url": "https://www.cve.org/CVERecord?id=CVE-2023-4004" }, { "name": "CVE-2024-21823", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21823" }, { "name": "CVE-2025-59991", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59991" }, { "name": "CVE-2024-5564", "url": "https://www.cve.org/CVERecord?id=CVE-2024-5564" }, { "name": "CVE-2024-26600", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26600" }, { "name": "CVE-2023-28746", "url": "https://www.cve.org/CVERecord?id=CVE-2023-28746" }, { "name": "CVE-2023-52864", "url": "https://www.cve.org/CVERecord?id=CVE-2023-52864" }, { "name": "CVE-2025-26600", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26600" }, { "name": "CVE-2024-3596", "url": "https://www.cve.org/CVERecord?id=CVE-2024-3596" }, { "name": "CVE-2024-27280", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27280" }, { "name": "CVE-2024-36929", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36929" }, { "name": "CVE-2023-35788", "url": "https://www.cve.org/CVERecord?id=CVE-2023-35788" }, { "name": "CVE-2025-59982", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59982" }, { "name": "CVE-2024-1975", "url": "https://www.cve.org/CVERecord?id=CVE-2024-1975" }, { "name": "CVE-2023-43785", "url": "https://www.cve.org/CVERecord?id=CVE-2023-43785" }, { "name": "CVE-2024-30205", "url": "https://www.cve.org/CVERecord?id=CVE-2024-30205" }, { "name": "CVE-2018-17247", "url": "https://www.cve.org/CVERecord?id=CVE-2018-17247" }, { "name": "CVE-2025-60004", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60004" }, { "name": "CVE-2023-51594", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51594" }, { "name": "CVE-2024-22025", "url": "https://www.cve.org/CVERecord?id=CVE-2024-22025" }, { "name": "CVE-2023-50229", "url": "https://www.cve.org/CVERecord?id=CVE-2023-50229" }, { "name": "CVE-2025-59974", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59974" }, { "name": "CVE-2025-26598", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26598" }, { "name": "CVE-2018-3824", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3824" }, { "name": "CVE-2024-40928", "url": "https://www.cve.org/CVERecord?id=CVE-2024-40928" }, { "name": "CVE-2024-43398", "url": "https://www.cve.org/CVERecord?id=CVE-2024-43398" }, { "name": "CVE-2024-8508", "url": "https://www.cve.org/CVERecord?id=CVE-2024-8508" }, { "name": "CVE-2024-36020", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36020" }, { "name": "CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "name": "CVE-2025-59981", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59981" }, { "name": "CVE-2023-31248", "url": "https://www.cve.org/CVERecord?id=CVE-2023-31248" }, { "name": "CVE-2024-1737", "url": "https://www.cve.org/CVERecord?id=CVE-2024-1737" }, { "name": "CVE-2023-25193", "url": "https://www.cve.org/CVERecord?id=CVE-2023-25193" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2024-30203", "url": "https://www.cve.org/CVERecord?id=CVE-2024-30203" }, { "name": "CVE-2023-3090", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3090" }, { "name": "CVE-2024-35937", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35937" }, { "name": "CVE-2025-59968", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59968" }, { "name": "CVE-2023-51592", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51592" }, { "name": "CVE-2025-59990", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59990" }, { "name": "CVE-2021-22146", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22146" }, { "name": "CVE-2025-59978", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59978" }, { "name": "CVE-2024-25629", "url": "https://www.cve.org/CVERecord?id=CVE-2024-25629" }, { "name": "CVE-2024-36017", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36017" }, { "name": "CVE-2024-24806", "url": "https://www.cve.org/CVERecord?id=CVE-2024-24806" }, { "name": "CVE-2024-27434", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27434" }, { "name": "CVE-2023-47038", "url": "https://www.cve.org/CVERecord?id=CVE-2023-47038" }, { "name": "CVE-2024-35852", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35852" }, { "name": "CVE-2024-38558", "url": "https://www.cve.org/CVERecord?id=CVE-2024-38558" }, { "name": "CVE-2025-59992", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59992" }, { "name": "CVE-2024-35845", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35845" }, { "name": "CVE-2021-41072", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41072" }, { "name": "CVE-2025-60000", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60000" }, { "name": "CVE-2022-24807", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24807" }, { "name": "CVE-2024-47607", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47607" }, { "name": "CVE-2024-27065", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27065" }, { "name": "CVE-2024-36005", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36005" }, { "name": "CVE-2023-45866", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45866" }, { "name": "CVE-2023-27349", "url": "https://www.cve.org/CVERecord?id=CVE-2023-27349" }, { "name": "CVE-2023-0464", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0464" }, { "name": "CVE-2015-5377", "url": "https://www.cve.org/CVERecord?id=CVE-2015-5377" }, { "name": "CVE-2023-48161", "url": "https://www.cve.org/CVERecord?id=CVE-2023-48161" }, { "name": "CVE-2022-24810", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24810" }, { "name": "CVE-2024-33621", "url": "https://www.cve.org/CVERecord?id=CVE-2024-33621" }, { "name": "CVE-2024-27983", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27983" }, { "name": "CVE-2025-60001", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60001" }, { "name": "CVE-2024-5742", "url": "https://www.cve.org/CVERecord?id=CVE-2024-5742" }, { "name": "CVE-2023-50230", "url": "https://www.cve.org/CVERecord?id=CVE-2023-50230" }, { "name": "CVE-2025-52960", "url": "https://www.cve.org/CVERecord?id=CVE-2025-52960" }, { "name": "CVE-2024-36922", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36922" }, { "name": "CVE-2025-59996", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59996" }, { "name": "CVE-2024-39487", "url": "https://www.cve.org/CVERecord?id=CVE-2024-39487" }, { "name": "CVE-2024-27982", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27982" }, { "name": "CVE-2023-38575", "url": "https://www.cve.org/CVERecord?id=CVE-2023-38575" }, { "name": "CVE-2024-35911", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35911" }, { "name": "CVE-2025-59957", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59957" }, { "name": "CVE-2025-59958", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59958" }, { "name": "CVE-2021-41043", "url": "https://www.cve.org/CVERecord?id=CVE-2021-41043" }, { "name": "CVE-2018-17244", "url": "https://www.cve.org/CVERecord?id=CVE-2018-17244" }, { "name": "CVE-2019-12900", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12900" }, { "name": "CVE-2024-39908", "url": "https://www.cve.org/CVERecord?id=CVE-2024-39908" }, { "name": "CVE-2025-26597", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26597" }, { "name": "CVE-2024-36971", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36971" }, { "name": "CVE-2023-2603", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2603" }, { "name": "CVE-2024-41946", "url": "https://www.cve.org/CVERecord?id=CVE-2024-41946" }, { "name": "CVE-2023-3776", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3776" }, { "name": "CVE-2024-42934", "url": "https://www.cve.org/CVERecord?id=CVE-2024-42934" }, { "name": "CVE-2023-51580", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51580" }, { "name": "CVE-2024-35848", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35848" }, { "name": "CVE-2024-27417", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27417" }, { "name": "CVE-2023-21102", "url": "https://www.cve.org/CVERecord?id=CVE-2023-21102" }, { "name": "CVE-2024-27281", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27281" }, { "name": "CVE-2025-59983", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59983" }, { "name": "CVE-2024-36941", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36941" }, { "name": "CVE-2024-2236", "url": "https://www.cve.org/CVERecord?id=CVE-2024-2236" }, { "name": "CVE-2024-38428", "url": "https://www.cve.org/CVERecord?id=CVE-2024-38428" }, { "name": "CVE-2024-35969", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35969" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2025-60006", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60006" }, { "name": "CVE-2024-36489", "url": "https://www.cve.org/CVERecord?id=CVE-2024-36489" }, { "name": "CVE-2015-1427", "url": "https://www.cve.org/CVERecord?id=CVE-2015-1427" }, { "name": "CVE-2024-38575", "url": "https://www.cve.org/CVERecord?id=CVE-2024-38575" }, { "name": "CVE-2024-35899", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35899" }, { "name": "CVE-2024-35823", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35823" }, { "name": "CVE-2024-40954", "url": "https://www.cve.org/CVERecord?id=CVE-2024-40954" }, { "name": "CVE-2024-9632", "url": "https://www.cve.org/CVERecord?id=CVE-2024-9632" }, { "name": "CVE-2023-38408", "url": "https://www.cve.org/CVERecord?id=CVE-2023-38408" }, { "name": "CVE-2025-26595", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26595" }, { "name": "CVE-2024-26868", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26868" }, { "name": "CVE-2023-43787", "url": "https://www.cve.org/CVERecord?id=CVE-2023-43787" }, { "name": "CVE-2023-43786", "url": "https://www.cve.org/CVERecord?id=CVE-2023-43786" }, { "name": "CVE-2024-8235", "url": "https://www.cve.org/CVERecord?id=CVE-2024-8235" }, { "name": "CVE-2023-4147", "url": "https://www.cve.org/CVERecord?id=CVE-2023-4147" }, { "name": "CVE-2025-59977", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59977" }, { "name": "CVE-2023-6004", "url": "https://www.cve.org/CVERecord?id=CVE-2023-6004" }, { "name": "CVE-2023-3610", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3610" }, { "name": "CVE-2025-26596", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26596" }, { "name": "CVE-2024-4603", "url": "https://www.cve.org/CVERecord?id=CVE-2024-4603" }, { "name": "CVE-2022-48622", "url": "https://www.cve.org/CVERecord?id=CVE-2022-48622" }, { "name": "CVE-2021-42550", "url": "https://www.cve.org/CVERecord?id=CVE-2021-42550" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "CVE-2024-26828", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26828" }, { "name": "CVE-2025-59998", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59998" }, { "name": "CVE-2024-26808", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26808" }, { "name": "CVE-2024-30204", "url": "https://www.cve.org/CVERecord?id=CVE-2024-30204" }, { "name": "CVE-2025-60002", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60002" }, { "name": "CVE-2023-35001", "url": "https://www.cve.org/CVERecord?id=CVE-2023-35001" }, { "name": "CVE-2024-27282", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27282" }, { "name": "CVE-2018-3831", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3831" }, { "name": "CVE-2023-43490", "url": "https://www.cve.org/CVERecord?id=CVE-2023-43490" }, { "name": "CVE-2025-59976", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59976" }, { "name": "CVE-2025-59980", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59980" }, { "name": "CVE-2025-26599", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26599" }, { "name": "CVE-2024-47615", "url": "https://www.cve.org/CVERecord?id=CVE-2024-47615" }, { "name": "CVE-2018-3823", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3823" }, { "name": "CVE-2023-22655", "url": "https://www.cve.org/CVERecord?id=CVE-2023-22655" }, { "name": "CVE-2024-6126", "url": "https://www.cve.org/CVERecord?id=CVE-2024-6126" }, { "name": "CVE-2023-4911", "url": "https://www.cve.org/CVERecord?id=CVE-2023-4911" }, { "name": "CVE-2023-39368", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39368" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "name": "CVE-2024-26853", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26853" }, { "name": "CVE-2025-59975", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59975" }, { "name": "CVE-2025-0624", "url": "https://www.cve.org/CVERecord?id=CVE-2025-0624" }, { "name": "CVE-2025-59987", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59987" }, { "name": "CVE-2024-40958", "url": "https://www.cve.org/CVERecord?id=CVE-2024-40958" }, { "name": "CVE-2018-3826", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3826" }, { "name": "CVE-2025-26601", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26601" }, { "name": "CVE-2024-52337", "url": "https://www.cve.org/CVERecord?id=CVE-2024-52337" }, { "name": "CVE-2025-59985", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59985" }, { "name": "CVE-2025-11198", "url": "https://www.cve.org/CVERecord?id=CVE-2025-11198" }, { "name": "CVE-2022-24806", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24806" }, { "name": "CVE-2023-32233", "url": "https://www.cve.org/CVERecord?id=CVE-2023-32233" }, { "name": "CVE-2024-35789", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35789" }, { "name": "CVE-2024-26327", "url": "https://www.cve.org/CVERecord?id=CVE-2024-26327" }, { "name": "CVE-2015-3253", "url": "https://www.cve.org/CVERecord?id=CVE-2015-3253" }, { "name": "CVE-2025-59964", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59964" }, { "name": "CVE-2025-59988", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59988" }, { "name": "CVE-2024-21210", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21210" }, { "name": "CVE-2024-2511", "url": "https://www.cve.org/CVERecord?id=CVE-2024-2511" }, { "name": "CVE-2024-34397", "url": "https://www.cve.org/CVERecord?id=CVE-2024-34397" }, { "name": "CVE-2023-45733", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45733" }, { "name": "CVE-2021-40153", "url": "https://www.cve.org/CVERecord?id=CVE-2021-40153" }, { "name": "CVE-2024-6655", "url": "https://www.cve.org/CVERecord?id=CVE-2024-6655" }, { "name": "CVE-2024-41123", "url": "https://www.cve.org/CVERecord?id=CVE-2024-41123" }, { "name": "CVE-2024-27049", "url": "https://www.cve.org/CVERecord?id=CVE-2024-27049" }, { "name": "CVE-2025-59984", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59984" }, { "name": "CVE-2025-52961", "url": "https://www.cve.org/CVERecord?id=CVE-2025-52961" }, { "name": "CVE-2023-51589", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51589" }, { "name": "CVE-2024-21217", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21217" }, { "name": "CVE-2024-28182", "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" }, { "name": "CVE-2021-3903", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3903" }, { "name": "CVE-2024-35800", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35800" }, { "name": "CVE-2023-2124", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2124" }, { "name": "CVE-2023-51596", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51596" }, { "name": "CVE-2025-60010", "url": "https://www.cve.org/CVERecord?id=CVE-2025-60010" }, { "name": "CVE-2023-51764", "url": "https://www.cve.org/CVERecord?id=CVE-2023-51764" }, { "name": "CVE-2025-26594", "url": "https://www.cve.org/CVERecord?id=CVE-2025-26594" }, { "name": "CVE-2024-6409", "url": "https://www.cve.org/CVERecord?id=CVE-2024-6409" }, { "name": "CVE-2024-49761", "url": "https://www.cve.org/CVERecord?id=CVE-2024-49761" }, { "name": "CVE-2022-24808", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24808" }, { "name": "CVE-2025-59962", "url": "https://www.cve.org/CVERecord?id=CVE-2025-59962" }, { "name": "CVE-2024-21208", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21208" }, { "name": "CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "name": "CVE-2024-40961", "url": "https://www.cve.org/CVERecord?id=CVE-2024-40961" } ], "initial_release_date": "2025-10-09T00:00:00", "last_revision_date": "2025-10-09T00:00:00", "links": [], "reference": "CERTFR-2025-AVI-0855", "revisions": [ { "description": "Version initiale", "revision_date": "2025-10-09T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Injection de code indirecte \u00e0 distance (XSS)" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" }, { "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es" }, { "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur" }, { "description": "Contournement de la politique de s\u00e9curit\u00e9" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" }, { "description": "\u00c9l\u00e9vation de privil\u00e8ges" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Juniper Networks. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Juniper Networks", "vendor_advisories": [ { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103140", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Multiple-XSS-vulnerabilities-resolved-in-24-1R4-release" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103141", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Multiple-vulnerabilities-resolved-in-24-1R4-release" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103163", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-Multiple-OS-command-injection-vulnerabilities-fixed-CVE-2025-60006" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103168", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Device-allows-login-for-user-with-expired-password-CVE-2025-60010" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103171", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Reflected-client-side-HTTP-parameter-pollution-vulnerability-in-web-interface-CVE-2025-59977" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103167", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-When-a-user-with-the-name-ftp-or-anonymous-is-configured-unauthenticated-filesystem-access-is-allowed-CVE-2025-59980" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103156", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-ACX7024-ACX7024X-ACX7100-32C-ACX7100-48L-ACX7348-ACX7509-When-specific-valid-multicast-traffic-is-received-on-the-L3-interface-a-vulnerable-device-evo-pfemand-crashes-and-restarts-CVE-2025-59967" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103437", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Security-Director-Policy-Enforcer-An-unrestricted-API-allows-a-network-based-unauthenticated-attacker-to-deploy-malicious-vSRX-images-to-VMWare-NSX-Server-CVE-2025-11198" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103172", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Flooding-device-with-inbound-API-calls-leads-to-WebUI-and-CLI-management-access-DoS-CVE-2025-59975" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103157", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Juniper-Security-Director-Insufficient-authorization-for-sensitive-resources-in-web-interface-CVE-2025-59968" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103170", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Arbitrary-file-download-vulnerability-in-web-interface-CVE-2025-59976" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103139", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Security-Director-Multiple-vulnerabilities-resolved-in-24-1R4" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103151", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-With-BGP-sharding-enabled-change-in-indirect-next-hop-can-cause-RPD-crash-CVE-2025-59962" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103153", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-SRX4700-When-forwarding-options-sampling-is-enabled-any-traffic-destined-to-the-RE-will-cause-the-forwarding-line-card-to-crash-and-restart-CVE-2025-59964" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103147", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-PTX-Series-When-firewall-filter-rejects-traffic-these-packets-are-erroneously-sent-to-the-RE-CVE-2025-59958" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103144", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-PTX-Series-except-PTX10003-An-unauthenticated-adjacent-attacker-sending-specific-valid-traffic-can-cause-a-memory-leak-in-cfmman-leading-to-FPC-crash-and-restart-CVE-2025-52961" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103143", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-SRX-Series-and-MX-Series-Receipt-of-specific-SIP-packets-in-a-high-utilization-situation-causes-a-flowd-crash-CVE-2025-52960" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103146", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-EX4600-Series-and-QFX5000-Series-An-attacker-with-physical-access-can-open-a-persistent-backdoor-CVE-2025-59957" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103138", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Security-Director-Multiple-vulnerabilities-resolved-in-24-1R4-by-upgrading-Log4j-Java-library-to-2-23-1-and-ElasticSearch-to-6-8-17" }, { "published_at": "2025-10-08", "title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks JSA103165", "url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Specific-BGP-EVPN-update-message-causes-rpd-crash-CVE-2025-60004" } ] }
CERTFR-2022-AVI-960
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneVendor | Product | Description | ||
---|---|---|---|---|
IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.5.0 Update Package Interim Fix 02 | ||
IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.4.3 Fix Pack 7 | ||
IBM | WebSphere | IBM WebSphere Application Server Liberty 17.0.0.3 à 22.0.0.11 sans le correctif de sécurité temporaire PH49719 (la version 22.0.0.12 est prévue au quatrième trimestre 2022) |
Title | Publication Time | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.5.0 Update Package Interim Fix 02", "product": { "name": "QRadar SIEM", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.4.3 Fix Pack 7", "product": { "name": "QRadar SIEM", "vendor": { "name": "IBM", "scada": false } } }, { "description": "IBM WebSphere Application Server Liberty 17.0.0.3 \u00e0 22.0.0.11 sans le correctif de s\u00e9curit\u00e9 temporaire PH49719 (la version 22.0.0.12 est pr\u00e9vue au quatri\u00e8me trimestre 2022)", "product": { "name": "WebSphere", "vendor": { "name": "IBM", "scada": false } } } ], "affected_systems_content": null, "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n", "cves": [ { "name": "CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2022-37734", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37734" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" } ], "initial_release_date": "2022-10-27T00:00:00", "last_revision_date": "2022-10-27T00:00:00", "links": [], "reference": "CERTFR-2022-AVI-960", "revisions": [ { "description": "Version initiale", "revision_date": "2022-10-27T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n", "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM", "vendor_advisories": [ { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6832094 du 26 octobre 2022", "url": "https://www.ibm.com/support/pages/node/6832094" }, { "published_at": null, "title": "Bulletin de s\u00e9curit\u00e9 IBM 6832160 du 26 octobre 2022", "url": "https://www.ibm.com/support/pages/node/6832160" } ] }
wid-sec-w-2024-0107
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0107 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0107.json" }, { "category": "self", "summary": "WID-SEC-2024-0107 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0107" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Communications Applications vom 2024-01-16", "url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixCAGBU" } ], "source_lang": "en-US", "title": "Oracle Communications Applications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-16T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:03:44.309+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-0107", "initial_release_date": "2024-01-16T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Communications Applications 7.4.0", "product": { "name": "Oracle Communications Applications 7.4.0", "product_id": "T018938", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1", "product": { "name": "Oracle Communications Applications 7.4.1", "product_id": "T018939", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2", "product": { "name": "Oracle Communications Applications 7.4.2", "product_id": "T018940", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.0.1.0.0", "product": { "name": "Oracle Communications Applications 6.0.1.0.0", "product_id": "T021634", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.5.0", "product": { "name": "Oracle Communications Applications 7.5.0", "product_id": "T021639", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4", "product": { "name": "Oracle Communications Applications 7.4", "product_id": "T022811", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product_id": "T027325", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.6.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product_id": "T028669", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.2", "product": { "name": "Oracle Communications Applications 3.0.3.2", "product_id": "T028670", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 10.0.1.7.0", "product": { "name": "Oracle Communications Applications 10.0.1.7.0", "product_id": "T028674", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:10.0.1.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.0.7.0", "product": { "name": "Oracle Communications Applications 7.4.0.7.0", "product_id": "T028676", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1.5.0", "product": { "name": "Oracle Communications Applications 7.4.1.5.0", "product_id": "T028677", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2.8.0", "product": { "name": "Oracle Communications Applications 7.4.2.8.0", "product_id": "T028678", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.3.1.0.0", "product": { "name": "Oracle Communications Applications 6.3.1.0.0", "product_id": "T030578", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.3.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product_id": "T030579", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 6.0.3", "product": { "name": "Oracle Communications Applications \u003c= 6.0.3", "product_id": "T030581", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product_id": "T032083", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.7" } } }, { "category": "product_name", "name": "Oracle Communications Applications 15.0.0.0.0", "product": { "name": "Oracle Communications Applications 15.0.0.0.0", "product_id": "T032084", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:15.0.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.3", "product": { "name": "Oracle Communications Applications 3.0.3.3", "product_id": "T032085", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications 8.1.0.24.0", "product": { "name": "Oracle Communications Applications 8.1.0.24.0", "product_id": "T032086", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:8.1.0.24.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 5.5.19", "product": { "name": "Oracle Communications Applications \u003c= 5.5.19", "product_id": "T032087", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:5.5.19" } } } ], "category": "product_name", "name": "Communications Applications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5072", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-5072" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-44981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44981" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-44483", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44483" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42503", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42503" }, { "cve": "CVE-2023-37536", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-37536" }, { "cve": "CVE-2023-34981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34981" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-33201", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-33201" }, { "cve": "CVE-2023-31122", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-31122" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-28823", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-28823" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-20883", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-20883" }, { "cve": "CVE-2022-45868", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-45868" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-36944", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-36944" }, { "cve": "CVE-2022-31160", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31160" }, { "cve": "CVE-2022-31147", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31147" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-1471" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-37533" } ] }
WID-SEC-W-2023-1807
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1807 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json" }, { "category": "self", "summary": "WID-SEC-2023-1807 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18", "url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW" }, { "category": "external", "summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23", "url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=" } ], "source_lang": "en-US", "title": "Oracle Fusion Middleware: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-26T23:00:00.000+00:00", "generator": { "date": "2024-08-15T17:55:51.397+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-1807", "initial_release_date": "2023-07-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-07-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-12-26T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Dell aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.3.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.3.0", "product_id": "618028", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.4.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.4.0", "product_id": "751674", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 14.1.1.0.0", "product": { "name": "Oracle Fusion Middleware 14.1.1.0.0", "product_id": "829576", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 9.1.0", "product": { "name": "Oracle Fusion Middleware 9.1.0", "product_id": "T022847", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:9.1.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product": { "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product_id": "T028708", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:11.1.2.3.1" } } } ], "category": "product_name", "name": "Fusion Middleware" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-26119", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-26119" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-23914", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-23914" }, { "cve": "CVE-2023-22899", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22899" }, { "cve": "CVE-2023-22040", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22040" }, { "cve": "CVE-2023-22031", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22031" }, { "cve": "CVE-2023-21994", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-21994" }, { "cve": "CVE-2023-20863", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20863" }, { "cve": "CVE-2023-20861", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20861" }, { "cve": "CVE-2023-20860", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20860" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-1370" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41853", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-41853" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-33879", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-33879" }, { "cve": "CVE-2022-31197", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-31197" }, { "cve": "CVE-2022-29546", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-29546" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-24409", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-24409" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-23437" }, { "cve": "CVE-2021-46877", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-46877" }, { "cve": "CVE-2021-43113", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-43113" }, { "cve": "CVE-2021-42575", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-42575" }, { "cve": "CVE-2021-41184", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-41184" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-36090", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-36090" }, { "cve": "CVE-2021-34429", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-34429" }, { "cve": "CVE-2021-33813", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-33813" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-28168", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-28168" }, { "cve": "CVE-2021-26117", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-26117" }, { "cve": "CVE-2021-23926", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-23926" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-17521", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-17521" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-13936" } ] }
wid-sec-w-2023-0063
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Junos Space ist eine Software-Plattform, die eine Reihe von Applikationen f\u00fcr das Netzwerkmanagement beinhaltet.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Juniper Junos Space ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern.", "title": "Angriff" }, { "category": "general", "text": "- Juniper Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0063 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0063.json" }, { "category": "self", "summary": "WID-SEC-2023-0063 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0063" }, { "category": "external", "summary": "Juniper Security Advisory JSA70182 vom 2023-01-12", "url": "https://supportportal.juniper.net/s/article/2023-01-Security-Bulletin-Contrail-Service-Orchestration-Multiple-vulnerabilities-resolved-in-CSO-6-3-0?language=en_US" }, { "category": "external", "summary": "Juniper Security Advisory vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" } ], "source_lang": "en-US", "title": "Juniper Junos Space: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-01-11T23:00:00.000+00:00", "generator": { "date": "2024-08-15T17:41:07.526+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-0063", "initial_release_date": "2022-01-12T23:00:00.000+00:00", "revision_history": [ { "date": "2022-01-12T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-01-11T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Juniper aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Juniper Contrail Service Orchestration", "product": { "name": "Juniper Contrail Service Orchestration", "product_id": "T025794", "product_identification_helper": { "cpe": "cpe:/a:juniper:contrail_service_orchestration:-" } } }, { "category": "product_name", "name": "Juniper Junos Space \u003c 21.3R1", "product": { "name": "Juniper Junos Space \u003c 21.3R1", "product_id": "T021576", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:21.3r1" } } } ], "category": "vendor", "name": "Juniper" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2019-17543" }, { "cve": "CVE-2019-20934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2019-20934" }, { "cve": "CVE-2020-0543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0543" }, { "cve": "CVE-2020-0548", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0548" }, { "cve": "CVE-2020-0549", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0549" }, { "cve": "CVE-2020-11022", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11022" }, { "cve": "CVE-2020-11023", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11023" }, { "cve": "CVE-2020-11668", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11668" }, { "cve": "CVE-2020-11984", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11984" }, { "cve": "CVE-2020-11993", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11993" }, { "cve": "CVE-2020-12362", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12362" }, { "cve": "CVE-2020-12363", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12363" }, { "cve": "CVE-2020-12364", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12364" }, { "cve": "CVE-2020-1927", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-1927" }, { "cve": "CVE-2020-1934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-1934" }, { "cve": "CVE-2020-24489", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24489" }, { "cve": "CVE-2020-24511", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24511" }, { "cve": "CVE-2020-24512", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24512" }, { "cve": "CVE-2020-27170", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-27170" }, { "cve": "CVE-2020-27777", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-27777" }, { "cve": "CVE-2020-29443", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-29443" }, { "cve": "CVE-2020-8625", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8625" }, { "cve": "CVE-2020-8648", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8648" }, { "cve": "CVE-2020-8695", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8695" }, { "cve": "CVE-2020-8696", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8696" }, { "cve": "CVE-2020-8698", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8698" }, { "cve": "CVE-2020-9490", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-9490" }, { "cve": "CVE-2021-20254", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-20254" }, { "cve": "CVE-2021-22555", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-22555" }, { "cve": "CVE-2021-22901", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-22901" }, { "cve": "CVE-2021-2341", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2341" }, { "cve": "CVE-2021-2342", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2342" }, { "cve": "CVE-2021-2356", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2356" }, { "cve": "CVE-2021-2369", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2369" }, { "cve": "CVE-2021-2372", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2372" }, { "cve": "CVE-2021-2385", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2385" }, { "cve": "CVE-2021-2388", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2388" }, { "cve": "CVE-2021-2389", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2389" }, { "cve": "CVE-2021-2390", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2390" }, { "cve": "CVE-2021-25214", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25217", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-25217" }, { "cve": "CVE-2021-27219", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-27219" }, { "cve": "CVE-2021-29154", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-29154" }, { "cve": "CVE-2021-29650", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-29650" }, { "cve": "CVE-2021-31535", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-31535" }, { "cve": "CVE-2021-32399", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-32399" }, { "cve": "CVE-2021-33033", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33033" }, { "cve": "CVE-2021-33034", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33034" }, { "cve": "CVE-2021-3347", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3347" }, { "cve": "CVE-2021-33909", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33909" }, { "cve": "CVE-2021-3653", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3653" }, { "cve": "CVE-2021-3656", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3656" }, { "cve": "CVE-2021-3715", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3715" }, { "cve": "CVE-2021-37576", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-37576" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-42550", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-42550" }, { "cve": "CVE-2021-44228", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-44228" }, { "cve": "CVE-2021-45046", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-45046" } ] }
WID-SEC-W-2024-0794
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Dell ECS ist ein Objektspeichersystem.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0794 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json" }, { "category": "self", "summary": "WID-SEC-2024-0794 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-141 vom 2024-04-04", "url": "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=" } ], "source_lang": "en-US", "title": "Dell ECS: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-27T23:00:00.000+00:00", "generator": { "date": "2024-11-28T11:39:04.623+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-0794", "initial_release_date": "2024-04-04T22:00:00.000+00:00", "revision_history": [ { "date": "2024-04-04T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-27T23:00:00.000+00:00", "number": "2", "summary": "Produktzuordnung \u00fcberpr\u00fcft" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c3.8.1.0", "product": { "name": "Dell ECS \u003c3.8.1.0", "product_id": "T033919" } }, { "category": "product_version", "name": "3.8.1.0", "product": { "name": "Dell ECS 3.8.1.0", "product_id": "T033919-fixed", "product_identification_helper": { "cpe": "cpe:/h:dell:ecs:3.8.1.0" } } } ], "category": "product_name", "name": "ECS" } ], "category": "vendor", "name": "Dell" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-18074", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2018-18074" }, { "cve": "CVE-2020-10663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10663" }, { "cve": "CVE-2020-10672", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10672" }, { "cve": "CVE-2020-10673", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10673" }, { "cve": "CVE-2020-10735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10735" }, { "cve": "CVE-2020-10968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10968" }, { "cve": "CVE-2020-10969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10969" }, { "cve": "CVE-2020-11111", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11111" }, { "cve": "CVE-2020-11112", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11112" }, { "cve": "CVE-2020-11113", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11113" }, { "cve": "CVE-2020-11612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11612" }, { "cve": "CVE-2020-11619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11619" }, { "cve": "CVE-2020-11620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11620" }, { "cve": "CVE-2020-11979", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11979" }, { "cve": "CVE-2020-12762", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-12762" }, { "cve": "CVE-2020-12825", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-12825" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-14060", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14060" }, { "cve": "CVE-2020-14061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14061" }, { "cve": "CVE-2020-14062", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14062" }, { "cve": "CVE-2020-14195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14195" }, { "cve": "CVE-2020-15250", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-15250" }, { "cve": "CVE-2020-1945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1945" }, { "cve": "CVE-2020-1967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1967" }, { "cve": "CVE-2020-1971", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1971" }, { "cve": "CVE-2020-24616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-24616" }, { "cve": "CVE-2020-24750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-24750" }, { "cve": "CVE-2020-25649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-25649" }, { "cve": "CVE-2020-25658", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-25658" }, { "cve": "CVE-2020-26116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26116" }, { "cve": "CVE-2020-26137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26137" }, { "cve": "CVE-2020-26541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26541" }, { "cve": "CVE-2020-27216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27216" }, { "cve": "CVE-2020-27218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27218" }, { "cve": "CVE-2020-27223", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27223" }, { "cve": "CVE-2020-28366", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-28366" }, { "cve": "CVE-2020-28493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-28493" }, { "cve": "CVE-2020-29509", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29509" }, { "cve": "CVE-2020-29511", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29511" }, { "cve": "CVE-2020-29582", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29582" }, { "cve": "CVE-2020-29651", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29651" }, { "cve": "CVE-2020-35490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35490" }, { "cve": "CVE-2020-35491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35491" }, { "cve": "CVE-2020-35728", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35728" }, { "cve": "CVE-2020-36179", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36179" }, { "cve": "CVE-2020-36180", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36180" }, { "cve": "CVE-2020-36181", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36181" }, { "cve": "CVE-2020-36182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36182" }, { "cve": "CVE-2020-36183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36183" }, { "cve": "CVE-2020-36184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36184" }, { "cve": "CVE-2020-36185", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36185" }, { "cve": "CVE-2020-36186", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36186" }, { "cve": "CVE-2020-36187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36187" }, { "cve": "CVE-2020-36188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36188" }, { "cve": "CVE-2020-36189", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36189" }, { "cve": "CVE-2020-36516", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36516" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-36557", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36557" }, { "cve": "CVE-2020-36558", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36558" }, { "cve": "CVE-2020-36691", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36691" }, { "cve": "CVE-2020-7238", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-7238" }, { "cve": "CVE-2020-8840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8840" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-8911", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8911" }, { "cve": "CVE-2020-8912", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8912" }, { "cve": "CVE-2020-9488", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9488" }, { "cve": "CVE-2020-9493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9493" }, { "cve": "CVE-2020-9546", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9546" }, { "cve": "CVE-2020-9547", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9547" }, { "cve": "CVE-2020-9548", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9548" }, { "cve": "CVE-2021-20190", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-20190" }, { "cve": "CVE-2021-20323", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-20323" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21290" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-23840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-23840" }, { "cve": "CVE-2021-23841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-23841" }, { "cve": "CVE-2021-2471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-2471" }, { "cve": "CVE-2021-25642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-25642" }, { "cve": "CVE-2021-26341", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-26341" }, { "cve": "CVE-2021-27918", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-27918" }, { "cve": "CVE-2021-28153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28153" }, { "cve": "CVE-2021-28165", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28165" }, { "cve": "CVE-2021-28169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28169" }, { "cve": "CVE-2021-28861", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28861" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-30560", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-30560" }, { "cve": "CVE-2021-3114", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3114" }, { "cve": "CVE-2021-33036", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33036" }, { "cve": "CVE-2021-33194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33194" }, { "cve": "CVE-2021-33195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33195" }, { "cve": "CVE-2021-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33196" }, { "cve": "CVE-2021-33197", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33197" }, { "cve": "CVE-2021-33503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33503" }, { "cve": "CVE-2021-33655", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33655" }, { "cve": "CVE-2021-33656", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33656" }, { "cve": "CVE-2021-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3424" }, { "cve": "CVE-2021-34428", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-34428" }, { "cve": "CVE-2021-3449", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3530", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3530" }, { "cve": "CVE-2021-36221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36221" }, { "cve": "CVE-2021-36373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36373" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-3648", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3648" }, { "cve": "CVE-2021-36690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36690" }, { "cve": "CVE-2021-3711", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3712" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37404", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37404" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-3754", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3754" }, { "cve": "CVE-2021-3778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3778" }, { "cve": "CVE-2021-3796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3796" }, { "cve": "CVE-2021-3826", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3826" }, { "cve": "CVE-2021-3827", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3827" }, { "cve": "CVE-2021-38297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-38297" }, { "cve": "CVE-2021-3872", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3872" }, { "cve": "CVE-2021-3875", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3875" }, { "cve": "CVE-2021-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3903" }, { "cve": "CVE-2021-3923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3923" }, { "cve": "CVE-2021-3927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3927" }, { "cve": "CVE-2021-3928", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3928" }, { "cve": "CVE-2021-3968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3968" }, { "cve": "CVE-2021-3973", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3973" }, { "cve": "CVE-2021-3974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3974" }, { "cve": "CVE-2021-3984", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3984" }, { "cve": "CVE-2021-4019", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4019" }, { "cve": "CVE-2021-4037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4037" }, { "cve": "CVE-2021-4069", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4069" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-4136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4136" }, { "cve": "CVE-2021-4157", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4157" }, { "cve": "CVE-2021-4166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4166" }, { "cve": "CVE-2021-41771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-41771" }, { "cve": "CVE-2021-4192", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4192" }, { "cve": "CVE-2021-4193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4193" }, { "cve": "CVE-2021-4203", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4203" }, { "cve": "CVE-2021-42567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-42567" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-44531", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44531" }, { "cve": "CVE-2021-44532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44532" }, { "cve": "CVE-2021-44533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44533" }, { "cve": "CVE-2021-44716", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44716" }, { "cve": "CVE-2021-44878", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44878" }, { "cve": "CVE-2021-45078", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-45078" }, { "cve": "CVE-2021-46195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46195" }, { "cve": "CVE-2021-46828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46828" }, { "cve": "CVE-2021-46848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46848" }, { "cve": "CVE-2022-0128", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0128" }, { "cve": "CVE-2022-0213", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0213" }, { "cve": "CVE-2022-0225", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0225" }, { "cve": "CVE-2022-0261", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0261" }, { "cve": "CVE-2022-0318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0318" }, { "cve": "CVE-2022-0319", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0319" }, { "cve": "CVE-2022-0351", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0351" }, { "cve": "CVE-2022-0359", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0359" }, { "cve": "CVE-2022-0361", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0361" }, { "cve": "CVE-2022-0392", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0392" }, { "cve": "CVE-2022-0407", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0407" }, { "cve": "CVE-2022-0413", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0413" }, { "cve": "CVE-2022-0561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0561" }, { "cve": "CVE-2022-0696", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0696" }, { "cve": "CVE-2022-0778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0778" }, { "cve": "CVE-2022-1184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1184" }, { "cve": "CVE-2022-1245", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1245" }, { "cve": "CVE-2022-1271", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1271" }, { "cve": "CVE-2022-1292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1292" }, { "cve": "CVE-2022-1381", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1381" }, { "cve": "CVE-2022-1420", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1420" }, { "cve": "CVE-2022-1462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1462" }, { "cve": "CVE-2022-1466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1466" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1471" }, { "cve": "CVE-2022-1586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1586" }, { "cve": "CVE-2022-1587", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1587" }, { "cve": "CVE-2022-1616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1616" }, { "cve": "CVE-2022-1619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1619" }, { "cve": "CVE-2022-1620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1620" }, { "cve": "CVE-2022-1679", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1679" }, { "cve": "CVE-2022-1705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1705" }, { "cve": "CVE-2022-1720", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1720" }, { "cve": "CVE-2022-1729", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1729" }, { "cve": "CVE-2022-1733", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1733" }, { "cve": "CVE-2022-1735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1735" }, { "cve": "CVE-2022-1771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1771" }, { "cve": "CVE-2022-1785", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1785" }, { "cve": "CVE-2022-1796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1796" }, { "cve": "CVE-2022-1851", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1851" }, { "cve": "CVE-2022-1897", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1897" }, { "cve": "CVE-2022-1898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1898" }, { "cve": "CVE-2022-1927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1927" }, { "cve": "CVE-2022-1962", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1962" }, { "cve": "CVE-2022-1968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1968" }, { "cve": "CVE-2022-1974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1974" }, { "cve": "CVE-2022-1975", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1975" }, { "cve": "CVE-2022-20132", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20132" }, { "cve": "CVE-2022-20141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20141" }, { "cve": "CVE-2022-20154", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20154" }, { "cve": "CVE-2022-20166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20166" }, { "cve": "CVE-2022-20368", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20368" }, { "cve": "CVE-2022-20369", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20369" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-2048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2048" }, { "cve": "CVE-2022-20567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20567" }, { "cve": "CVE-2022-2068", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2068" }, { "cve": "CVE-2022-2097", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2097" }, { "cve": "CVE-2022-21216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21216" }, { "cve": "CVE-2022-21233", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21233" }, { "cve": "CVE-2022-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2124" }, { "cve": "CVE-2022-2125", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2125" }, { "cve": "CVE-2022-2126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2126" }, { "cve": "CVE-2022-2129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2129" }, { "cve": "CVE-2022-21363", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21363" }, { "cve": "CVE-2022-21385", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21385" }, { "cve": "CVE-2022-21499", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21499" }, { "cve": "CVE-2022-2153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2153" }, { "cve": "CVE-2022-21540", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21540" }, { "cve": "CVE-2022-21541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21541" }, { "cve": "CVE-2022-21549", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21549" }, { "cve": "CVE-2022-21618", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21618" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21619" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21702", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21702" }, { "cve": "CVE-2022-2175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2175" }, { "cve": "CVE-2022-2182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2182" }, { "cve": "CVE-2022-2183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2183" }, { "cve": "CVE-2022-2206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2206" }, { "cve": "CVE-2022-2207", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2207" }, { "cve": "CVE-2022-2208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2208" }, { "cve": "CVE-2022-2210", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2210" }, { "cve": "CVE-2022-2231", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2231" }, { "cve": "CVE-2022-2256", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2256" }, { "cve": "CVE-2022-2257", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2257" }, { "cve": "CVE-2022-2264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2264" }, { "cve": "CVE-2022-2284", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2284" }, { "cve": "CVE-2022-2285", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2285" }, { "cve": "CVE-2022-2286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2286" }, { "cve": "CVE-2022-2287", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2287" }, { "cve": "CVE-2022-22976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-22976" }, { "cve": "CVE-2022-22978", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-22978" }, { "cve": "CVE-2022-2304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2304" }, { "cve": "CVE-2022-2318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2318" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-2343", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2343" }, { "cve": "CVE-2022-2344", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2344" }, { "cve": "CVE-2022-2345", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2345" }, { "cve": "CVE-2022-23471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23471" }, { "cve": "CVE-2022-23521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23521" }, { "cve": "CVE-2022-23772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23772" }, { "cve": "CVE-2022-23773", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23773" }, { "cve": "CVE-2022-24302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24302" }, { "cve": "CVE-2022-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24329" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24903" }, { "cve": "CVE-2022-2503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2503" }, { "cve": "CVE-2022-25147", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25147" }, { "cve": "CVE-2022-25168", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25168" }, { "cve": "CVE-2022-2519", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2519" }, { "cve": "CVE-2022-2520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2520" }, { "cve": "CVE-2022-2521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2521" }, { "cve": "CVE-2022-2522", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2522" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-2571", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2571" }, { "cve": "CVE-2022-2580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2580" }, { "cve": "CVE-2022-2581", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2581" }, { "cve": "CVE-2022-25857", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25857" }, { "cve": "CVE-2022-2588", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2588" }, { "cve": "CVE-2022-2598", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2598" }, { "cve": "CVE-2022-26148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26148" }, { "cve": "CVE-2022-26365", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26365" }, { "cve": "CVE-2022-26373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26373" }, { "cve": "CVE-2022-2639", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2639" }, { "cve": "CVE-2022-26612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26612" }, { "cve": "CVE-2022-2663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2663" }, { "cve": "CVE-2022-27781", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27781" }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27782" }, { "cve": "CVE-2022-27943", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27943" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-28131", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28131" }, { "cve": "CVE-2022-2816", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2816" }, { "cve": "CVE-2022-2817", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2817" }, { "cve": "CVE-2022-2819", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2819" }, { "cve": "CVE-2022-28327", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28327" }, { "cve": "CVE-2022-2845", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2845" }, { "cve": "CVE-2022-2849", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2849" }, { "cve": "CVE-2022-2862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2862" }, { "cve": "CVE-2022-2867", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2867" }, { "cve": "CVE-2022-2868", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2868" }, { "cve": "CVE-2022-2869", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2869" }, { "cve": "CVE-2022-28693", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28693" }, { "cve": "CVE-2022-2874", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2874" }, { "cve": "CVE-2022-28748", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28748" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-2889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2889" }, { "cve": "CVE-2022-29162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29162" }, { "cve": "CVE-2022-29187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29187" }, { "cve": "CVE-2022-2923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2923" }, { "cve": "CVE-2022-2946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2946" }, { "cve": "CVE-2022-29526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29526" }, { "cve": "CVE-2022-29583", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29583" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-2977", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2977" }, { "cve": "CVE-2022-2980", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2980" }, { "cve": "CVE-2022-2982", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2982" }, { "cve": "CVE-2022-29900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29900" }, { "cve": "CVE-2022-29901", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29901" }, { "cve": "CVE-2022-2991", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2991" }, { "cve": "CVE-2022-3016", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3016" }, { "cve": "CVE-2022-3028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3028" }, { "cve": "CVE-2022-3037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3037" }, { "cve": "CVE-2022-30580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30580" }, { "cve": "CVE-2022-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30630" }, { "cve": "CVE-2022-30631", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30631" }, { "cve": "CVE-2022-30632", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30632" }, { "cve": "CVE-2022-30633", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30633" }, { "cve": "CVE-2022-3099", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3099" }, { "cve": "CVE-2022-31030", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31030" }, { "cve": "CVE-2022-31159", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31159" }, { "cve": "CVE-2022-3134", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3134" }, { "cve": "CVE-2022-3153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3153" }, { "cve": "CVE-2022-3169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3169" }, { "cve": "CVE-2022-31690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31690" }, { "cve": "CVE-2022-32148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32148" }, { "cve": "CVE-2022-32149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32149" }, { "cve": "CVE-2022-32206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32206" }, { "cve": "CVE-2022-32208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32208" }, { "cve": "CVE-2022-32221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32221" }, { "cve": "CVE-2022-3234", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3234" }, { "cve": "CVE-2022-3235", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3235" }, { "cve": "CVE-2022-3239", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3239" }, { "cve": "CVE-2022-3278", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3278" }, { "cve": "CVE-2022-3296", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3296" }, { "cve": "CVE-2022-3297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3297" }, { "cve": "CVE-2022-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33196" }, { "cve": "CVE-2022-3324", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3324" }, { "cve": "CVE-2022-3352", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3352" }, { "cve": "CVE-2022-33740", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33740" }, { "cve": "CVE-2022-33741", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33741" }, { "cve": "CVE-2022-33742", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33742" }, { "cve": "CVE-2022-33972", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33972" }, { "cve": "CVE-2022-33981", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33981" }, { "cve": "CVE-2022-34169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34169" }, { "cve": "CVE-2022-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3424" }, { "cve": "CVE-2022-34266", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34266" }, { "cve": "CVE-2022-34526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34526" }, { "cve": "CVE-2022-34903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34903" }, { "cve": "CVE-2022-3491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3491" }, { "cve": "CVE-2022-3515", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3515" }, { "cve": "CVE-2022-3520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3520" }, { "cve": "CVE-2022-3521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3521" }, { "cve": "CVE-2022-3524", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3524" }, { "cve": "CVE-2022-35252", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-35252" }, { "cve": "CVE-2022-3542", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3542" }, { "cve": "CVE-2022-3545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3545" }, { "cve": "CVE-2022-3564", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3564" }, { "cve": "CVE-2022-3565", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3565" }, { "cve": "CVE-2022-3566", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3566" }, { "cve": "CVE-2022-3567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3567" }, { "cve": "CVE-2022-35737", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-35737" }, { "cve": "CVE-2022-3586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3586" }, { "cve": "CVE-2022-3591", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3591" }, { "cve": "CVE-2022-3594", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3594" }, { "cve": "CVE-2022-3597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3597" }, { "cve": "CVE-2022-3599", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3599" }, { "cve": "CVE-2022-36109", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36109" }, { "cve": "CVE-2022-3621", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3621" }, { "cve": "CVE-2022-3626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3626" }, { "cve": "CVE-2022-3627", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3627" }, { "cve": "CVE-2022-3628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3628" }, { "cve": "CVE-2022-36280", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36280" }, { "cve": "CVE-2022-3629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3629" }, { "cve": "CVE-2022-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3635" }, { "cve": "CVE-2022-3643", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3643" }, { "cve": "CVE-2022-36437", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36437" }, { "cve": "CVE-2022-3646", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3646" }, { "cve": "CVE-2022-3649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3649" }, { "cve": "CVE-2022-36760", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36760" }, { "cve": "CVE-2022-36879", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36879" }, { "cve": "CVE-2022-36946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36946" }, { "cve": "CVE-2022-3705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3705" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-37436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37436" }, { "cve": "CVE-2022-37865", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37865" }, { "cve": "CVE-2022-37866", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37866" }, { "cve": "CVE-2022-38090", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38090" }, { "cve": "CVE-2022-38096", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38096" }, { "cve": "CVE-2022-38126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38126" }, { "cve": "CVE-2022-38127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38127" }, { "cve": "CVE-2022-38177", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38177" }, { "cve": "CVE-2022-38178", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38178" }, { "cve": "CVE-2022-3821", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3821" }, { "cve": "CVE-2022-38533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38533" }, { "cve": "CVE-2022-38749", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38749" }, { "cve": "CVE-2022-38750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38750" }, { "cve": "CVE-2022-38751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38751" }, { "cve": "CVE-2022-38752", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38752" }, { "cve": "CVE-2022-39028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39028" }, { "cve": "CVE-2022-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3903" }, { "cve": "CVE-2022-39188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39188" }, { "cve": "CVE-2022-39399", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39399" }, { "cve": "CVE-2022-3970", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3970" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40151", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40151" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40303", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40303" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40307" }, { "cve": "CVE-2022-40674", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40674" }, { "cve": "CVE-2022-40768", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40768" }, { "cve": "CVE-2022-40899", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40899" }, { "cve": "CVE-2022-4095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4095" }, { "cve": "CVE-2022-41218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41218" }, { "cve": "CVE-2022-4129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4129" }, { "cve": "CVE-2022-4141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4141" }, { "cve": "CVE-2022-41717", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41717" }, { "cve": "CVE-2022-41721", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41721" }, { "cve": "CVE-2022-41848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41848" }, { "cve": "CVE-2022-41850", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41850" }, { "cve": "CVE-2022-41854", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41854" }, { "cve": "CVE-2022-41858", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41858" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-41903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41903" }, { "cve": "CVE-2022-41915", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41915" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41974" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-42010", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42010" }, { "cve": "CVE-2022-42011", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42011" }, { "cve": "CVE-2022-42012", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42012" }, { "cve": "CVE-2022-42328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42328" }, { "cve": "CVE-2022-42329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42329" }, { "cve": "CVE-2022-42703", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42703" }, { "cve": "CVE-2022-42889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42889" }, { "cve": "CVE-2022-42895", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42895" }, { "cve": "CVE-2022-42896", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42896" }, { "cve": "CVE-2022-42898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42898" }, { "cve": "CVE-2022-4292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4292" }, { "cve": "CVE-2022-4293", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4293" }, { "cve": "CVE-2022-42969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42969" }, { "cve": "CVE-2022-4304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4304" }, { "cve": "CVE-2022-43552", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43552" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-43750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43750" }, { "cve": "CVE-2022-4378", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4378" }, { "cve": "CVE-2022-43945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43945" }, { "cve": "CVE-2022-43995", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43995" }, { "cve": "CVE-2022-4415", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4415" }, { "cve": "CVE-2022-4450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4450" }, { "cve": "CVE-2022-44638", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-44638" }, { "cve": "CVE-2022-45061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45061" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45884", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45884" }, { "cve": "CVE-2022-45885", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45885" }, { "cve": "CVE-2022-45886", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45886" }, { "cve": "CVE-2022-45887", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45887" }, { "cve": "CVE-2022-45919", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45919" }, { "cve": "CVE-2022-45934", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45934" }, { "cve": "CVE-2022-45939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45939" }, { "cve": "CVE-2022-4662", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4662" }, { "cve": "CVE-2022-46751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-46751" }, { "cve": "CVE-2022-46908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-46908" }, { "cve": "CVE-2022-47629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-47629" }, { "cve": "CVE-2022-47929", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-47929" }, { "cve": "CVE-2022-48281", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48281" }, { "cve": "CVE-2022-48337", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48337" }, { "cve": "CVE-2022-48339", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48339" }, { "cve": "CVE-2023-0045", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0045" }, { "cve": "CVE-2023-0049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0049" }, { "cve": "CVE-2023-0051", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0051" }, { "cve": "CVE-2023-0054", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0054" }, { "cve": "CVE-2023-0215", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0215" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0288", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0288" }, { "cve": "CVE-2023-0433", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0433" }, { "cve": "CVE-2023-0464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0464" }, { "cve": "CVE-2023-0465", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0465" }, { "cve": "CVE-2023-0466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0466" }, { "cve": "CVE-2023-0512", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0512" }, { "cve": "CVE-2023-0590", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0590" }, { "cve": "CVE-2023-0597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0597" }, { "cve": "CVE-2023-0833", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0833" }, { "cve": "CVE-2023-1076", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1076" }, { "cve": "CVE-2023-1095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1095" }, { "cve": "CVE-2023-1118", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1118" }, { "cve": "CVE-2023-1127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1127" }, { "cve": "CVE-2023-1170", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1170" }, { "cve": "CVE-2023-1175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1175" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1370" }, { "cve": "CVE-2023-1380", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1380" }, { "cve": "CVE-2023-1390", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1390" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1513" }, { "cve": "CVE-2023-1611", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1611" }, { "cve": "CVE-2023-1670", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1670" }, { "cve": "CVE-2023-1855", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1855" }, { "cve": "CVE-2023-1989", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1989" }, { "cve": "CVE-2023-1990", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1990" }, { "cve": "CVE-2023-1998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1998" }, { "cve": "CVE-2023-20862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-20862" }, { "cve": "CVE-2023-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2124" }, { "cve": "CVE-2023-2162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2162" }, { "cve": "CVE-2023-2176", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2176" }, { "cve": "CVE-2023-21830", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21830" }, { "cve": "CVE-2023-21835", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21835" }, { "cve": "CVE-2023-21843", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21843" }, { "cve": "CVE-2023-21930", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21930" }, { "cve": "CVE-2023-21937", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21937" }, { "cve": "CVE-2023-21938", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21938" }, { "cve": "CVE-2023-21939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21939" }, { "cve": "CVE-2023-2194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2194" }, { "cve": "CVE-2023-21954", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21954" }, { "cve": "CVE-2023-21967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21967" }, { "cve": "CVE-2023-21968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21968" }, { "cve": "CVE-2023-22490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-22490" }, { "cve": "CVE-2023-2253", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2253" }, { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-22809" }, { "cve": "CVE-2023-23454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23454" }, { "cve": "CVE-2023-23455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23455" }, { "cve": "CVE-2023-23559", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23559" }, { "cve": "CVE-2023-23916", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23916" }, { "cve": "CVE-2023-23946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23946" }, { "cve": "CVE-2023-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24329" }, { "cve": "CVE-2023-24532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24532" }, { "cve": "CVE-2023-24534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24534" }, { "cve": "CVE-2023-2483", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2483" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-2513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2513" }, { "cve": "CVE-2023-25193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25193" }, { "cve": "CVE-2023-25652", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25652" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25809" }, { "cve": "CVE-2023-25815", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25815" }, { "cve": "CVE-2023-26048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26048" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-2650", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2650" }, { "cve": "CVE-2023-26545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26545" }, { "cve": "CVE-2023-26604", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26604" }, { "cve": "CVE-2023-27533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27533" }, { "cve": "CVE-2023-27534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27534" }, { "cve": "CVE-2023-27535", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27535" }, { "cve": "CVE-2023-27536", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27536" }, { "cve": "CVE-2023-27538", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27538" }, { "cve": "CVE-2023-27561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27561" }, { "cve": "CVE-2023-2828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2828" }, { "cve": "CVE-2023-28320", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28320" }, { "cve": "CVE-2023-28321", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28321" }, { "cve": "CVE-2023-28322", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28322" }, { "cve": "CVE-2023-28328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28328" }, { "cve": "CVE-2023-28464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28464" }, { "cve": "CVE-2023-28486", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28486" }, { "cve": "CVE-2023-28487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28487" }, { "cve": "CVE-2023-28642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28642" }, { "cve": "CVE-2023-28772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28772" }, { "cve": "CVE-2023-28840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28840" }, { "cve": "CVE-2023-28841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28841" }, { "cve": "CVE-2023-28842", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28842" }, { "cve": "CVE-2023-29007", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29007" }, { "cve": "CVE-2023-29383", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29383" }, { "cve": "CVE-2023-29402", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29402" }, { "cve": "CVE-2023-29406", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29406" }, { "cve": "CVE-2023-29409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29409" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-30630" }, { "cve": "CVE-2023-30772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-30772" }, { "cve": "CVE-2023-31084", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31084" }, { "cve": "CVE-2023-3138", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-3138" }, { "cve": "CVE-2023-31436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31436" }, { "cve": "CVE-2023-31484", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31484" }, { "cve": "CVE-2023-32269", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-32269" }, { "cve": "CVE-2023-32697", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-32697" }, { "cve": "CVE-2023-33264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-33264" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-34035", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34035" }, { "cve": "CVE-2023-34453", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34453" }, { "cve": "CVE-2023-34454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34454" }, { "cve": "CVE-2023-34455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34455" }, { "cve": "CVE-2023-34462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34462" }, { "cve": "CVE-2023-35116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-35116" }, { "cve": "CVE-2023-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-3635" }, { "cve": "CVE-2023-36479", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-36479" }, { "cve": "CVE-2023-39533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-39533" }, { "cve": "CVE-2023-40167", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-40167" }, { "cve": "CVE-2023-40217", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-40217" }, { "cve": "CVE-2023-41105", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-41105" }, { "cve": "CVE-2023-41900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-41900" }, { "cve": "CVE-2023-43642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-43642" }, { "cve": "CVE-2023-43804", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-43804" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45803", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-45803" }, { "cve": "CVE-2024-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2024-21626" } ] }
wid-sec-w-2024-0794
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Dell ECS ist ein Objektspeichersystem.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0794 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json" }, { "category": "self", "summary": "WID-SEC-2024-0794 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-141 vom 2024-04-04", "url": "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=" } ], "source_lang": "en-US", "title": "Dell ECS: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-27T23:00:00.000+00:00", "generator": { "date": "2024-11-28T11:39:04.623+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-0794", "initial_release_date": "2024-04-04T22:00:00.000+00:00", "revision_history": [ { "date": "2024-04-04T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-27T23:00:00.000+00:00", "number": "2", "summary": "Produktzuordnung \u00fcberpr\u00fcft" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c3.8.1.0", "product": { "name": "Dell ECS \u003c3.8.1.0", "product_id": "T033919" } }, { "category": "product_version", "name": "3.8.1.0", "product": { "name": "Dell ECS 3.8.1.0", "product_id": "T033919-fixed", "product_identification_helper": { "cpe": "cpe:/h:dell:ecs:3.8.1.0" } } } ], "category": "product_name", "name": "ECS" } ], "category": "vendor", "name": "Dell" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-18074", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2018-18074" }, { "cve": "CVE-2020-10663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10663" }, { "cve": "CVE-2020-10672", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10672" }, { "cve": "CVE-2020-10673", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10673" }, { "cve": "CVE-2020-10735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10735" }, { "cve": "CVE-2020-10968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10968" }, { "cve": "CVE-2020-10969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-10969" }, { "cve": "CVE-2020-11111", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11111" }, { "cve": "CVE-2020-11112", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11112" }, { "cve": "CVE-2020-11113", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11113" }, { "cve": "CVE-2020-11612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11612" }, { "cve": "CVE-2020-11619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11619" }, { "cve": "CVE-2020-11620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11620" }, { "cve": "CVE-2020-11979", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-11979" }, { "cve": "CVE-2020-12762", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-12762" }, { "cve": "CVE-2020-12825", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-12825" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-14060", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14060" }, { "cve": "CVE-2020-14061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14061" }, { "cve": "CVE-2020-14062", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14062" }, { "cve": "CVE-2020-14195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-14195" }, { "cve": "CVE-2020-15250", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-15250" }, { "cve": "CVE-2020-1945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1945" }, { "cve": "CVE-2020-1967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1967" }, { "cve": "CVE-2020-1971", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-1971" }, { "cve": "CVE-2020-24616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-24616" }, { "cve": "CVE-2020-24750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-24750" }, { "cve": "CVE-2020-25649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-25649" }, { "cve": "CVE-2020-25658", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-25658" }, { "cve": "CVE-2020-26116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26116" }, { "cve": "CVE-2020-26137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26137" }, { "cve": "CVE-2020-26541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-26541" }, { "cve": "CVE-2020-27216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27216" }, { "cve": "CVE-2020-27218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27218" }, { "cve": "CVE-2020-27223", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-27223" }, { "cve": "CVE-2020-28366", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-28366" }, { "cve": "CVE-2020-28493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-28493" }, { "cve": "CVE-2020-29509", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29509" }, { "cve": "CVE-2020-29511", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29511" }, { "cve": "CVE-2020-29582", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29582" }, { "cve": "CVE-2020-29651", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-29651" }, { "cve": "CVE-2020-35490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35490" }, { "cve": "CVE-2020-35491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35491" }, { "cve": "CVE-2020-35728", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-35728" }, { "cve": "CVE-2020-36179", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36179" }, { "cve": "CVE-2020-36180", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36180" }, { "cve": "CVE-2020-36181", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36181" }, { "cve": "CVE-2020-36182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36182" }, { "cve": "CVE-2020-36183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36183" }, { "cve": "CVE-2020-36184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36184" }, { "cve": "CVE-2020-36185", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36185" }, { "cve": "CVE-2020-36186", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36186" }, { "cve": "CVE-2020-36187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36187" }, { "cve": "CVE-2020-36188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36188" }, { "cve": "CVE-2020-36189", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36189" }, { "cve": "CVE-2020-36516", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36516" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-36557", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36557" }, { "cve": "CVE-2020-36558", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36558" }, { "cve": "CVE-2020-36691", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-36691" }, { "cve": "CVE-2020-7238", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-7238" }, { "cve": "CVE-2020-8840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8840" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-8911", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8911" }, { "cve": "CVE-2020-8912", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-8912" }, { "cve": "CVE-2020-9488", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9488" }, { "cve": "CVE-2020-9493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9493" }, { "cve": "CVE-2020-9546", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9546" }, { "cve": "CVE-2020-9547", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9547" }, { "cve": "CVE-2020-9548", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2020-9548" }, { "cve": "CVE-2021-20190", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-20190" }, { "cve": "CVE-2021-20323", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-20323" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21290" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-23840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-23840" }, { "cve": "CVE-2021-23841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-23841" }, { "cve": "CVE-2021-2471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-2471" }, { "cve": "CVE-2021-25642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-25642" }, { "cve": "CVE-2021-26341", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-26341" }, { "cve": "CVE-2021-27918", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-27918" }, { "cve": "CVE-2021-28153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28153" }, { "cve": "CVE-2021-28165", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28165" }, { "cve": "CVE-2021-28169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28169" }, { "cve": "CVE-2021-28861", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-28861" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-30560", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-30560" }, { "cve": "CVE-2021-3114", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3114" }, { "cve": "CVE-2021-33036", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33036" }, { "cve": "CVE-2021-33194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33194" }, { "cve": "CVE-2021-33195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33195" }, { "cve": "CVE-2021-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33196" }, { "cve": "CVE-2021-33197", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33197" }, { "cve": "CVE-2021-33503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33503" }, { "cve": "CVE-2021-33655", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33655" }, { "cve": "CVE-2021-33656", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-33656" }, { "cve": "CVE-2021-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3424" }, { "cve": "CVE-2021-34428", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-34428" }, { "cve": "CVE-2021-3449", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3530", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3530" }, { "cve": "CVE-2021-36221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36221" }, { "cve": "CVE-2021-36373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36373" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-3648", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3648" }, { "cve": "CVE-2021-36690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-36690" }, { "cve": "CVE-2021-3711", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3712" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37404", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37404" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-3754", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3754" }, { "cve": "CVE-2021-3778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3778" }, { "cve": "CVE-2021-3796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3796" }, { "cve": "CVE-2021-3826", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3826" }, { "cve": "CVE-2021-3827", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3827" }, { "cve": "CVE-2021-38297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-38297" }, { "cve": "CVE-2021-3872", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3872" }, { "cve": "CVE-2021-3875", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3875" }, { "cve": "CVE-2021-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3903" }, { "cve": "CVE-2021-3923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3923" }, { "cve": "CVE-2021-3927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3927" }, { "cve": "CVE-2021-3928", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3928" }, { "cve": "CVE-2021-3968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3968" }, { "cve": "CVE-2021-3973", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3973" }, { "cve": "CVE-2021-3974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3974" }, { "cve": "CVE-2021-3984", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-3984" }, { "cve": "CVE-2021-4019", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4019" }, { "cve": "CVE-2021-4037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4037" }, { "cve": "CVE-2021-4069", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4069" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-4136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4136" }, { "cve": "CVE-2021-4157", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4157" }, { "cve": "CVE-2021-4166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4166" }, { "cve": "CVE-2021-41771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-41771" }, { "cve": "CVE-2021-4192", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4192" }, { "cve": "CVE-2021-4193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4193" }, { "cve": "CVE-2021-4203", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-4203" }, { "cve": "CVE-2021-42567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-42567" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-44531", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44531" }, { "cve": "CVE-2021-44532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44532" }, { "cve": "CVE-2021-44533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44533" }, { "cve": "CVE-2021-44716", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44716" }, { "cve": "CVE-2021-44878", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-44878" }, { "cve": "CVE-2021-45078", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-45078" }, { "cve": "CVE-2021-46195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46195" }, { "cve": "CVE-2021-46828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46828" }, { "cve": "CVE-2021-46848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2021-46848" }, { "cve": "CVE-2022-0128", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0128" }, { "cve": "CVE-2022-0213", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0213" }, { "cve": "CVE-2022-0225", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0225" }, { "cve": "CVE-2022-0261", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0261" }, { "cve": "CVE-2022-0318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0318" }, { "cve": "CVE-2022-0319", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0319" }, { "cve": "CVE-2022-0351", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0351" }, { "cve": "CVE-2022-0359", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0359" }, { "cve": "CVE-2022-0361", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0361" }, { "cve": "CVE-2022-0392", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0392" }, { "cve": "CVE-2022-0407", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0407" }, { "cve": "CVE-2022-0413", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0413" }, { "cve": "CVE-2022-0561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0561" }, { "cve": "CVE-2022-0696", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0696" }, { "cve": "CVE-2022-0778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-0778" }, { "cve": "CVE-2022-1184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1184" }, { "cve": "CVE-2022-1245", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1245" }, { "cve": "CVE-2022-1271", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1271" }, { "cve": "CVE-2022-1292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1292" }, { "cve": "CVE-2022-1381", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1381" }, { "cve": "CVE-2022-1420", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1420" }, { "cve": "CVE-2022-1462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1462" }, { "cve": "CVE-2022-1466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1466" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1471" }, { "cve": "CVE-2022-1586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1586" }, { "cve": "CVE-2022-1587", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1587" }, { "cve": "CVE-2022-1616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1616" }, { "cve": "CVE-2022-1619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1619" }, { "cve": "CVE-2022-1620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1620" }, { "cve": "CVE-2022-1679", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1679" }, { "cve": "CVE-2022-1705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1705" }, { "cve": "CVE-2022-1720", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1720" }, { "cve": "CVE-2022-1729", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1729" }, { "cve": "CVE-2022-1733", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1733" }, { "cve": "CVE-2022-1735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1735" }, { "cve": "CVE-2022-1771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1771" }, { "cve": "CVE-2022-1785", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1785" }, { "cve": "CVE-2022-1796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1796" }, { "cve": "CVE-2022-1851", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1851" }, { "cve": "CVE-2022-1897", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1897" }, { "cve": "CVE-2022-1898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1898" }, { "cve": "CVE-2022-1927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1927" }, { "cve": "CVE-2022-1962", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1962" }, { "cve": "CVE-2022-1968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1968" }, { "cve": "CVE-2022-1974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1974" }, { "cve": "CVE-2022-1975", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-1975" }, { "cve": "CVE-2022-20132", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20132" }, { "cve": "CVE-2022-20141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20141" }, { "cve": "CVE-2022-20154", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20154" }, { "cve": "CVE-2022-20166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20166" }, { "cve": "CVE-2022-20368", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20368" }, { "cve": "CVE-2022-20369", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20369" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-2048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2048" }, { "cve": "CVE-2022-20567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-20567" }, { "cve": "CVE-2022-2068", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2068" }, { "cve": "CVE-2022-2097", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2097" }, { "cve": "CVE-2022-21216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21216" }, { "cve": "CVE-2022-21233", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21233" }, { "cve": "CVE-2022-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2124" }, { "cve": "CVE-2022-2125", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2125" }, { "cve": "CVE-2022-2126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2126" }, { "cve": "CVE-2022-2129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2129" }, { "cve": "CVE-2022-21363", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21363" }, { "cve": "CVE-2022-21385", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21385" }, { "cve": "CVE-2022-21499", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21499" }, { "cve": "CVE-2022-2153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2153" }, { "cve": "CVE-2022-21540", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21540" }, { "cve": "CVE-2022-21541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21541" }, { "cve": "CVE-2022-21549", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21549" }, { "cve": "CVE-2022-21618", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21618" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21619" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21702", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-21702" }, { "cve": "CVE-2022-2175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2175" }, { "cve": "CVE-2022-2182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2182" }, { "cve": "CVE-2022-2183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2183" }, { "cve": "CVE-2022-2206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2206" }, { "cve": "CVE-2022-2207", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2207" }, { "cve": "CVE-2022-2208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2208" }, { "cve": "CVE-2022-2210", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2210" }, { "cve": "CVE-2022-2231", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2231" }, { "cve": "CVE-2022-2256", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2256" }, { "cve": "CVE-2022-2257", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2257" }, { "cve": "CVE-2022-2264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2264" }, { "cve": "CVE-2022-2284", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2284" }, { "cve": "CVE-2022-2285", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2285" }, { "cve": "CVE-2022-2286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2286" }, { "cve": "CVE-2022-2287", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2287" }, { "cve": "CVE-2022-22976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-22976" }, { "cve": "CVE-2022-22978", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-22978" }, { "cve": "CVE-2022-2304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2304" }, { "cve": "CVE-2022-2318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2318" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-2343", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2343" }, { "cve": "CVE-2022-2344", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2344" }, { "cve": "CVE-2022-2345", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2345" }, { "cve": "CVE-2022-23471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23471" }, { "cve": "CVE-2022-23521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23521" }, { "cve": "CVE-2022-23772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23772" }, { "cve": "CVE-2022-23773", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-23773" }, { "cve": "CVE-2022-24302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24302" }, { "cve": "CVE-2022-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24329" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-24903" }, { "cve": "CVE-2022-2503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2503" }, { "cve": "CVE-2022-25147", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25147" }, { "cve": "CVE-2022-25168", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25168" }, { "cve": "CVE-2022-2519", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2519" }, { "cve": "CVE-2022-2520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2520" }, { "cve": "CVE-2022-2521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2521" }, { "cve": "CVE-2022-2522", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2522" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-2571", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2571" }, { "cve": "CVE-2022-2580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2580" }, { "cve": "CVE-2022-2581", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2581" }, { "cve": "CVE-2022-25857", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-25857" }, { "cve": "CVE-2022-2588", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2588" }, { "cve": "CVE-2022-2598", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2598" }, { "cve": "CVE-2022-26148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26148" }, { "cve": "CVE-2022-26365", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26365" }, { "cve": "CVE-2022-26373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26373" }, { "cve": "CVE-2022-2639", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2639" }, { "cve": "CVE-2022-26612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-26612" }, { "cve": "CVE-2022-2663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2663" }, { "cve": "CVE-2022-27781", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27781" }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27782" }, { "cve": "CVE-2022-27943", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-27943" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-28131", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28131" }, { "cve": "CVE-2022-2816", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2816" }, { "cve": "CVE-2022-2817", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2817" }, { "cve": "CVE-2022-2819", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2819" }, { "cve": "CVE-2022-28327", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28327" }, { "cve": "CVE-2022-2845", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2845" }, { "cve": "CVE-2022-2849", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2849" }, { "cve": "CVE-2022-2862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2862" }, { "cve": "CVE-2022-2867", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2867" }, { "cve": "CVE-2022-2868", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2868" }, { "cve": "CVE-2022-2869", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2869" }, { "cve": "CVE-2022-28693", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28693" }, { "cve": "CVE-2022-2874", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2874" }, { "cve": "CVE-2022-28748", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-28748" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-2889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2889" }, { "cve": "CVE-2022-29162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29162" }, { "cve": "CVE-2022-29187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29187" }, { "cve": "CVE-2022-2923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2923" }, { "cve": "CVE-2022-2946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2946" }, { "cve": "CVE-2022-29526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29526" }, { "cve": "CVE-2022-29583", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29583" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-2977", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2977" }, { "cve": "CVE-2022-2980", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2980" }, { "cve": "CVE-2022-2982", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2982" }, { "cve": "CVE-2022-29900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29900" }, { "cve": "CVE-2022-29901", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-29901" }, { "cve": "CVE-2022-2991", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-2991" }, { "cve": "CVE-2022-3016", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3016" }, { "cve": "CVE-2022-3028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3028" }, { "cve": "CVE-2022-3037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3037" }, { "cve": "CVE-2022-30580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30580" }, { "cve": "CVE-2022-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30630" }, { "cve": "CVE-2022-30631", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30631" }, { "cve": "CVE-2022-30632", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30632" }, { "cve": "CVE-2022-30633", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-30633" }, { "cve": "CVE-2022-3099", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3099" }, { "cve": "CVE-2022-31030", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31030" }, { "cve": "CVE-2022-31159", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31159" }, { "cve": "CVE-2022-3134", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3134" }, { "cve": "CVE-2022-3153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3153" }, { "cve": "CVE-2022-3169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3169" }, { "cve": "CVE-2022-31690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-31690" }, { "cve": "CVE-2022-32148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32148" }, { "cve": "CVE-2022-32149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32149" }, { "cve": "CVE-2022-32206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32206" }, { "cve": "CVE-2022-32208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32208" }, { "cve": "CVE-2022-32221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-32221" }, { "cve": "CVE-2022-3234", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3234" }, { "cve": "CVE-2022-3235", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3235" }, { "cve": "CVE-2022-3239", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3239" }, { "cve": "CVE-2022-3278", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3278" }, { "cve": "CVE-2022-3296", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3296" }, { "cve": "CVE-2022-3297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3297" }, { "cve": "CVE-2022-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33196" }, { "cve": "CVE-2022-3324", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3324" }, { "cve": "CVE-2022-3352", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3352" }, { "cve": "CVE-2022-33740", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33740" }, { "cve": "CVE-2022-33741", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33741" }, { "cve": "CVE-2022-33742", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33742" }, { "cve": "CVE-2022-33972", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33972" }, { "cve": "CVE-2022-33981", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-33981" }, { "cve": "CVE-2022-34169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34169" }, { "cve": "CVE-2022-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3424" }, { "cve": "CVE-2022-34266", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34266" }, { "cve": "CVE-2022-34526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34526" }, { "cve": "CVE-2022-34903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-34903" }, { "cve": "CVE-2022-3491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3491" }, { "cve": "CVE-2022-3515", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3515" }, { "cve": "CVE-2022-3520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3520" }, { "cve": "CVE-2022-3521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3521" }, { "cve": "CVE-2022-3524", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3524" }, { "cve": "CVE-2022-35252", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-35252" }, { "cve": "CVE-2022-3542", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3542" }, { "cve": "CVE-2022-3545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3545" }, { "cve": "CVE-2022-3564", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3564" }, { "cve": "CVE-2022-3565", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3565" }, { "cve": "CVE-2022-3566", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3566" }, { "cve": "CVE-2022-3567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3567" }, { "cve": "CVE-2022-35737", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-35737" }, { "cve": "CVE-2022-3586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3586" }, { "cve": "CVE-2022-3591", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3591" }, { "cve": "CVE-2022-3594", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3594" }, { "cve": "CVE-2022-3597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3597" }, { "cve": "CVE-2022-3599", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3599" }, { "cve": "CVE-2022-36109", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36109" }, { "cve": "CVE-2022-3621", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3621" }, { "cve": "CVE-2022-3626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3626" }, { "cve": "CVE-2022-3627", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3627" }, { "cve": "CVE-2022-3628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3628" }, { "cve": "CVE-2022-36280", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36280" }, { "cve": "CVE-2022-3629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3629" }, { "cve": "CVE-2022-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3635" }, { "cve": "CVE-2022-3643", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3643" }, { "cve": "CVE-2022-36437", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36437" }, { "cve": "CVE-2022-3646", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3646" }, { "cve": "CVE-2022-3649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3649" }, { "cve": "CVE-2022-36760", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36760" }, { "cve": "CVE-2022-36879", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36879" }, { "cve": "CVE-2022-36946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-36946" }, { "cve": "CVE-2022-3705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3705" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-37436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37436" }, { "cve": "CVE-2022-37865", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37865" }, { "cve": "CVE-2022-37866", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-37866" }, { "cve": "CVE-2022-38090", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38090" }, { "cve": "CVE-2022-38096", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38096" }, { "cve": "CVE-2022-38126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38126" }, { "cve": "CVE-2022-38127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38127" }, { "cve": "CVE-2022-38177", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38177" }, { "cve": "CVE-2022-38178", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38178" }, { "cve": "CVE-2022-3821", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3821" }, { "cve": "CVE-2022-38533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38533" }, { "cve": "CVE-2022-38749", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38749" }, { "cve": "CVE-2022-38750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38750" }, { "cve": "CVE-2022-38751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38751" }, { "cve": "CVE-2022-38752", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-38752" }, { "cve": "CVE-2022-39028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39028" }, { "cve": "CVE-2022-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3903" }, { "cve": "CVE-2022-39188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39188" }, { "cve": "CVE-2022-39399", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-39399" }, { "cve": "CVE-2022-3970", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-3970" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40151", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40151" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40303", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40303" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40307" }, { "cve": "CVE-2022-40674", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40674" }, { "cve": "CVE-2022-40768", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40768" }, { "cve": "CVE-2022-40899", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-40899" }, { "cve": "CVE-2022-4095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4095" }, { "cve": "CVE-2022-41218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41218" }, { "cve": "CVE-2022-4129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4129" }, { "cve": "CVE-2022-4141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4141" }, { "cve": "CVE-2022-41717", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41717" }, { "cve": "CVE-2022-41721", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41721" }, { "cve": "CVE-2022-41848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41848" }, { "cve": "CVE-2022-41850", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41850" }, { "cve": "CVE-2022-41854", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41854" }, { "cve": "CVE-2022-41858", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41858" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-41903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41903" }, { "cve": "CVE-2022-41915", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41915" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-41974" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-42010", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42010" }, { "cve": "CVE-2022-42011", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42011" }, { "cve": "CVE-2022-42012", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42012" }, { "cve": "CVE-2022-42328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42328" }, { "cve": "CVE-2022-42329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42329" }, { "cve": "CVE-2022-42703", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42703" }, { "cve": "CVE-2022-42889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42889" }, { "cve": "CVE-2022-42895", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42895" }, { "cve": "CVE-2022-42896", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42896" }, { "cve": "CVE-2022-42898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42898" }, { "cve": "CVE-2022-4292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4292" }, { "cve": "CVE-2022-4293", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4293" }, { "cve": "CVE-2022-42969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-42969" }, { "cve": "CVE-2022-4304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4304" }, { "cve": "CVE-2022-43552", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43552" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-43750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43750" }, { "cve": "CVE-2022-4378", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4378" }, { "cve": "CVE-2022-43945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43945" }, { "cve": "CVE-2022-43995", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-43995" }, { "cve": "CVE-2022-4415", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4415" }, { "cve": "CVE-2022-4450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4450" }, { "cve": "CVE-2022-44638", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-44638" }, { "cve": "CVE-2022-45061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45061" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45884", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45884" }, { "cve": "CVE-2022-45885", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45885" }, { "cve": "CVE-2022-45886", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45886" }, { "cve": "CVE-2022-45887", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45887" }, { "cve": "CVE-2022-45919", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45919" }, { "cve": "CVE-2022-45934", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45934" }, { "cve": "CVE-2022-45939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-45939" }, { "cve": "CVE-2022-4662", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-4662" }, { "cve": "CVE-2022-46751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-46751" }, { "cve": "CVE-2022-46908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-46908" }, { "cve": "CVE-2022-47629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-47629" }, { "cve": "CVE-2022-47929", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-47929" }, { "cve": "CVE-2022-48281", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48281" }, { "cve": "CVE-2022-48337", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48337" }, { "cve": "CVE-2022-48339", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2022-48339" }, { "cve": "CVE-2023-0045", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0045" }, { "cve": "CVE-2023-0049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0049" }, { "cve": "CVE-2023-0051", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0051" }, { "cve": "CVE-2023-0054", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0054" }, { "cve": "CVE-2023-0215", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0215" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0288", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0288" }, { "cve": "CVE-2023-0433", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0433" }, { "cve": "CVE-2023-0464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0464" }, { "cve": "CVE-2023-0465", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0465" }, { "cve": "CVE-2023-0466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0466" }, { "cve": "CVE-2023-0512", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0512" }, { "cve": "CVE-2023-0590", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0590" }, { "cve": "CVE-2023-0597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0597" }, { "cve": "CVE-2023-0833", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-0833" }, { "cve": "CVE-2023-1076", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1076" }, { "cve": "CVE-2023-1095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1095" }, { "cve": "CVE-2023-1118", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1118" }, { "cve": "CVE-2023-1127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1127" }, { "cve": "CVE-2023-1170", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1170" }, { "cve": "CVE-2023-1175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1175" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1370" }, { "cve": "CVE-2023-1380", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1380" }, { "cve": "CVE-2023-1390", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1390" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1513" }, { "cve": "CVE-2023-1611", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1611" }, { "cve": "CVE-2023-1670", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1670" }, { "cve": "CVE-2023-1855", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1855" }, { "cve": "CVE-2023-1989", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1989" }, { "cve": "CVE-2023-1990", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1990" }, { "cve": "CVE-2023-1998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-1998" }, { "cve": "CVE-2023-20862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-20862" }, { "cve": "CVE-2023-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2124" }, { "cve": "CVE-2023-2162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2162" }, { "cve": "CVE-2023-2176", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2176" }, { "cve": "CVE-2023-21830", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21830" }, { "cve": "CVE-2023-21835", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21835" }, { "cve": "CVE-2023-21843", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21843" }, { "cve": "CVE-2023-21930", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21930" }, { "cve": "CVE-2023-21937", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21937" }, { "cve": "CVE-2023-21938", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21938" }, { "cve": "CVE-2023-21939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21939" }, { "cve": "CVE-2023-2194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2194" }, { "cve": "CVE-2023-21954", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21954" }, { "cve": "CVE-2023-21967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21967" }, { "cve": "CVE-2023-21968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-21968" }, { "cve": "CVE-2023-22490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-22490" }, { "cve": "CVE-2023-2253", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2253" }, { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-22809" }, { "cve": "CVE-2023-23454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23454" }, { "cve": "CVE-2023-23455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23455" }, { "cve": "CVE-2023-23559", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23559" }, { "cve": "CVE-2023-23916", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23916" }, { "cve": "CVE-2023-23946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-23946" }, { "cve": "CVE-2023-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24329" }, { "cve": "CVE-2023-24532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24532" }, { "cve": "CVE-2023-24534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24534" }, { "cve": "CVE-2023-2483", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2483" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-2513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2513" }, { "cve": "CVE-2023-25193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25193" }, { "cve": "CVE-2023-25652", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25652" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25809" }, { "cve": "CVE-2023-25815", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-25815" }, { "cve": "CVE-2023-26048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26048" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-2650", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2650" }, { "cve": "CVE-2023-26545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26545" }, { "cve": "CVE-2023-26604", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-26604" }, { "cve": "CVE-2023-27533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27533" }, { "cve": "CVE-2023-27534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27534" }, { "cve": "CVE-2023-27535", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27535" }, { "cve": "CVE-2023-27536", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27536" }, { "cve": "CVE-2023-27538", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27538" }, { "cve": "CVE-2023-27561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-27561" }, { "cve": "CVE-2023-2828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2828" }, { "cve": "CVE-2023-28320", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28320" }, { "cve": "CVE-2023-28321", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28321" }, { "cve": "CVE-2023-28322", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28322" }, { "cve": "CVE-2023-28328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28328" }, { "cve": "CVE-2023-28464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28464" }, { "cve": "CVE-2023-28486", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28486" }, { "cve": "CVE-2023-28487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28487" }, { "cve": "CVE-2023-28642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28642" }, { "cve": "CVE-2023-28772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28772" }, { "cve": "CVE-2023-28840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28840" }, { "cve": "CVE-2023-28841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28841" }, { "cve": "CVE-2023-28842", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-28842" }, { "cve": "CVE-2023-29007", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29007" }, { "cve": "CVE-2023-29383", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29383" }, { "cve": "CVE-2023-29402", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29402" }, { "cve": "CVE-2023-29406", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29406" }, { "cve": "CVE-2023-29409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-29409" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-30630" }, { "cve": "CVE-2023-30772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-30772" }, { "cve": "CVE-2023-31084", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31084" }, { "cve": "CVE-2023-3138", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-3138" }, { "cve": "CVE-2023-31436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31436" }, { "cve": "CVE-2023-31484", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-31484" }, { "cve": "CVE-2023-32269", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-32269" }, { "cve": "CVE-2023-32697", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-32697" }, { "cve": "CVE-2023-33264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-33264" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-34035", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34035" }, { "cve": "CVE-2023-34453", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34453" }, { "cve": "CVE-2023-34454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34454" }, { "cve": "CVE-2023-34455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34455" }, { "cve": "CVE-2023-34462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-34462" }, { "cve": "CVE-2023-35116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-35116" }, { "cve": "CVE-2023-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-3635" }, { "cve": "CVE-2023-36479", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-36479" }, { "cve": "CVE-2023-39533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-39533" }, { "cve": "CVE-2023-40167", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-40167" }, { "cve": "CVE-2023-40217", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-40217" }, { "cve": "CVE-2023-41105", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-41105" }, { "cve": "CVE-2023-41900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-41900" }, { "cve": "CVE-2023-43642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-43642" }, { "cve": "CVE-2023-43804", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-43804" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45803", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2023-45803" }, { "cve": "CVE-2024-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T033919" ] }, "release_date": "2024-04-04T22:00:00.000+00:00", "title": "CVE-2024-21626" } ] }
wid-sec-w-2024-1926
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.\r\nRed Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- Sonstiges\n- UNIX", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1926 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1926.json" }, { "category": "self", "summary": "WID-SEC-2024-1926 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1926" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:5856 vom 2024-08-26", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:10207 vom 2024-11-25", "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "source_lang": "en-US", "title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-24T23:00:00.000+00:00", "generator": { "date": "2024-11-25T09:11:57.787+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-1926", "initial_release_date": "2024-08-26T22:00:00.000+00:00", "revision_history": [ { "date": "2024-08-26T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-24T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "T037110", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Enterprise Linux" }, { "branches": [ { "category": "product_version_range", "name": "\u003c7.1.7", "product": { "name": "Red Hat JBoss Enterprise Application Platform \u003c7.1.7", "product_id": "T037109" } }, { "category": "product_version", "name": "7.1.7", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1.7", "product_id": "T037109-fixed", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.7" } } }, { "category": "product_version_range", "name": "\u003c7.3.11", "product": { "name": "Red Hat JBoss Enterprise Application Platform \u003c7.3.11", "product_id": "T039412" } }, { "category": "product_version", "name": "7.3.11", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.3.11", "product_id": "T039412-fixed", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3.11" } } } ], "category": "product_name", "name": "JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-10086", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-10086" }, { "cve": "CVE-2019-10174", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-10174" }, { "cve": "CVE-2019-12384", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-12384" }, { "cve": "CVE-2019-14379", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14379" }, { "cve": "CVE-2019-14843", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14843" }, { "cve": "CVE-2019-14888", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14888" }, { "cve": "CVE-2019-16869", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-16869" }, { "cve": "CVE-2019-17531", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-17531" }, { "cve": "CVE-2019-20444", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-20444" }, { "cve": "CVE-2019-20445", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-20445" }, { "cve": "CVE-2019-9511", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9511" }, { "cve": "CVE-2019-9512", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9512" }, { "cve": "CVE-2019-9514", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9514" }, { "cve": "CVE-2019-9515", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9515" }, { "cve": "CVE-2020-1710", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1710" }, { "cve": "CVE-2020-1745", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1745" }, { "cve": "CVE-2020-1757", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1757" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23307" } ] }
WID-SEC-W-2024-0107
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0107 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0107.json" }, { "category": "self", "summary": "WID-SEC-2024-0107 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0107" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Communications Applications vom 2024-01-16", "url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixCAGBU" } ], "source_lang": "en-US", "title": "Oracle Communications Applications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-16T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:03:44.309+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-0107", "initial_release_date": "2024-01-16T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Communications Applications 7.4.0", "product": { "name": "Oracle Communications Applications 7.4.0", "product_id": "T018938", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1", "product": { "name": "Oracle Communications Applications 7.4.1", "product_id": "T018939", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2", "product": { "name": "Oracle Communications Applications 7.4.2", "product_id": "T018940", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.0.1.0.0", "product": { "name": "Oracle Communications Applications 6.0.1.0.0", "product_id": "T021634", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.5.0", "product": { "name": "Oracle Communications Applications 7.5.0", "product_id": "T021639", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4", "product": { "name": "Oracle Communications Applications 7.4", "product_id": "T022811", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product_id": "T027325", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.6.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product_id": "T028669", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.2", "product": { "name": "Oracle Communications Applications 3.0.3.2", "product_id": "T028670", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 10.0.1.7.0", "product": { "name": "Oracle Communications Applications 10.0.1.7.0", "product_id": "T028674", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:10.0.1.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.0.7.0", "product": { "name": "Oracle Communications Applications 7.4.0.7.0", "product_id": "T028676", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1.5.0", "product": { "name": "Oracle Communications Applications 7.4.1.5.0", "product_id": "T028677", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2.8.0", "product": { "name": "Oracle Communications Applications 7.4.2.8.0", "product_id": "T028678", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.3.1.0.0", "product": { "name": "Oracle Communications Applications 6.3.1.0.0", "product_id": "T030578", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.3.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product_id": "T030579", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 6.0.3", "product": { "name": "Oracle Communications Applications \u003c= 6.0.3", "product_id": "T030581", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product_id": "T032083", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.7" } } }, { "category": "product_name", "name": "Oracle Communications Applications 15.0.0.0.0", "product": { "name": "Oracle Communications Applications 15.0.0.0.0", "product_id": "T032084", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:15.0.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.3", "product": { "name": "Oracle Communications Applications 3.0.3.3", "product_id": "T032085", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications 8.1.0.24.0", "product": { "name": "Oracle Communications Applications 8.1.0.24.0", "product_id": "T032086", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:8.1.0.24.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 5.5.19", "product": { "name": "Oracle Communications Applications \u003c= 5.5.19", "product_id": "T032087", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:5.5.19" } } } ], "category": "product_name", "name": "Communications Applications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5072", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-5072" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-44981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44981" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-44483", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44483" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42503", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42503" }, { "cve": "CVE-2023-37536", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-37536" }, { "cve": "CVE-2023-34981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34981" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-33201", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-33201" }, { "cve": "CVE-2023-31122", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-31122" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-28823", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-28823" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-20883", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-20883" }, { "cve": "CVE-2022-45868", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-45868" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-36944", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-36944" }, { "cve": "CVE-2022-31160", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31160" }, { "cve": "CVE-2022-31147", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31147" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-1471" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-37533" } ] }
WID-SEC-W-2024-1926
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.\r\nRed Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- Sonstiges\n- UNIX", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1926 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1926.json" }, { "category": "self", "summary": "WID-SEC-2024-1926 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1926" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:5856 vom 2024-08-26", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:10207 vom 2024-11-25", "url": "https://access.redhat.com/errata/RHSA-2024:10207" } ], "source_lang": "en-US", "title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-24T23:00:00.000+00:00", "generator": { "date": "2024-11-25T09:11:57.787+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-1926", "initial_release_date": "2024-08-26T22:00:00.000+00:00", "revision_history": [ { "date": "2024-08-26T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-24T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "T037110", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Enterprise Linux" }, { "branches": [ { "category": "product_version_range", "name": "\u003c7.1.7", "product": { "name": "Red Hat JBoss Enterprise Application Platform \u003c7.1.7", "product_id": "T037109" } }, { "category": "product_version", "name": "7.1.7", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1.7", "product_id": "T037109-fixed", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.7" } } }, { "category": "product_version_range", "name": "\u003c7.3.11", "product": { "name": "Red Hat JBoss Enterprise Application Platform \u003c7.3.11", "product_id": "T039412" } }, { "category": "product_version", "name": "7.3.11", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.3.11", "product_id": "T039412-fixed", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3.11" } } } ], "category": "product_name", "name": "JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-10086", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-10086" }, { "cve": "CVE-2019-10174", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-10174" }, { "cve": "CVE-2019-12384", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-12384" }, { "cve": "CVE-2019-14379", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14379" }, { "cve": "CVE-2019-14843", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14843" }, { "cve": "CVE-2019-14888", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-14888" }, { "cve": "CVE-2019-16869", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-16869" }, { "cve": "CVE-2019-17531", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-17531" }, { "cve": "CVE-2019-20444", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-20444" }, { "cve": "CVE-2019-20445", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-20445" }, { "cve": "CVE-2019-9511", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9511" }, { "cve": "CVE-2019-9512", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9512" }, { "cve": "CVE-2019-9514", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9514" }, { "cve": "CVE-2019-9515", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2019-9515" }, { "cve": "CVE-2020-1710", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1710" }, { "cve": "CVE-2020-1745", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1745" }, { "cve": "CVE-2020-1757", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2020-1757" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "Es gibt mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform auf Red Hat Enterprise Linux. Diese Schwachstellen bestehen in verschiedenen Komponenten wie Undertow, Log4j und HTTP/2 und FasterXML aufgrund einer Reihe von sicherheitsrelevanten Problemen wie unsachgem\u00e4\u00dfer Eingabevalidierung, unzureichenden Zugriffskontrollen, M\u00e4ngeln in kryptografischen Implementierungen und Fehlkonfigurationen bei der Behandlung von Benutzerdaten oder HTTP-Anfragen. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu erzeugen, vertrauliche Informationen preiszugeben, Dateien und Daten zu manipulieren oder Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T037109", "T037110", "T039412" ] }, "release_date": "2024-08-26T22:00:00.000+00:00", "title": "CVE-2022-23307" } ] }
WID-SEC-W-2022-0520
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache log4j ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Appliance\n- Juniper Appliance\n- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0520 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0520.json" }, { "category": "self", "summary": "WID-SEC-2022-0520 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0520" }, { "category": "external", "summary": "NVD NIST vom 2021-12-15", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "IBM Security Advisory vom 2021-12-15", "url": "https://www.ibm.com/support/pages/node/6526432" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5148 vom 2021-12-15", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4096-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4097-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009912.html" }, { "category": "external", "summary": "Atlassian Security Advisory - Log4j", "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5186 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "IBM Security Bulletin 6527226 vom 2021-12-17", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5183 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5184 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5141 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5107 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "Log4j Vulnerabilities Impact On Oracle E-Business Suite Analysis", "url": "https://www.integrigy.com/security-resources/log4j-vulnerabilities-impact-oracle-e-business-suite-analysis" }, { "category": "external", "summary": "Atos Security Advisory Report - OBSO-2112-01", "url": "https://networks.unify.com/security/advisories/OBSO-2112-01.pdf" }, { "category": "external", "summary": "HCL Article KB0095587 vom 2021-12-17", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095587" }, { "category": "external", "summary": "IBM Security Bulletin 6527952 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-affects-ibm-spss-statistics-cve-2021-4104/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4112-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009916.html" }, { "category": "external", "summary": "IBM Security Bulletin 6527834 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-4104-affects-infosphere-data-replication/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4115-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009918.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4111-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009917.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:14866-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009915.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5206 vom 2021-12-20", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-5206 vom 2021-12-21", "url": "https://linux.oracle.com/errata/ELSA-2021-5206.html" }, { "category": "external", "summary": "IBM Security Bulletin 6528678 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6529056 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-and-ibm-integration-bus-cve-2021-4104/" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2021:5206 vom 2021-12-21", "url": "https://lists.centos.org/pipermail/centos-announce/2021-December/060975.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4160-1 vom 2021-12-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009934.html" }, { "category": "external", "summary": "IBM Security Bulletin 6536868 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-apache-log4j-shipped-with-ibm-tivoli-netcool-omnibus-common-integration-libraries-cve-2021-4104-cve-2021-45046-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5269 vom 2021-12-23", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4190-1 vom 2021-12-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009943.html" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-274 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194503/dsa-2021-274-dell-emc-data-domain-security-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "HPE Security Bulletin HPESBGN04215 rev.10 vom 2022-01-08", "url": "https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739\u0026elq_cid=67018031\u0026docId=hpesbgn04215en_us" }, { "category": "external", "summary": "IBM Security Bulletin 6539408 vom 2022-01-11", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-the-ibm-websphere-application-server-and-ibm-security-guardium-key-lifecycle-manager-cve-2021-4104-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "Juniper Security Bulletin JSA11287 vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5223-1 vom 2022-01-13", "url": "https://ubuntu.com/security/notices/USN-5223-1" }, { "category": "external", "summary": "IBM Security Bulletin 6540892 vom 2022-01-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-spss-analytic-server-cve-2021-4104/" }, { "category": "external", "summary": "Unify Security Advisory Report OBSO-2201-01 vom 2022-01-18", "url": "https://networks.unify.com/security/advisories/OBSO-2201-01.pdf" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1562 vom 2022-01-20", "url": "https://alas.aws.amazon.com/ALAS-2022-1562.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0126-1 vom 2022-01-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010026.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0133-1 vom 2022-01-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010032.html" }, { "category": "external", "summary": "IBM Security Bulletin 6550448 vom 2022-01-25", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-data-studio-client-cve-2021-4104/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0291 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0289 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0294 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9056 vom 2022-01-26", "url": "https://linux.oracle.com/errata/ELSA-2022-9056.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0290 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0290 vom 2022-01-27", "url": "http://linux.oracle.com/errata/ELSA-2022-0290.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1739 vom 2022-01-27", "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1739.html" }, { "category": "external", "summary": "IBM Security Bulletin 6551880 vom 2022-01-29", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-scale-cve-2021-4104/" }, { "category": "external", "summary": "Debian Security Advisory DLA-2905 vom 2022-01-31", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00033.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0436 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "IBM Security Bulletin 6553622 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228-3/" }, { "category": "external", "summary": "IBM Security Bulletin 6553626 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2021-44228-in-ibm-informix-dynamic-server-in-cloud-pak-for-data-2/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0438 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0430 vom 2022-02-03", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0435 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0437 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0450 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0445 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0448 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0449 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0446 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0447 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0444 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0475 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0497 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0354-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010195.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0355-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010196.html" }, { "category": "external", "summary": "HCL Article KB0097471 vom 2022-05-18", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097471" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0507 vom 2022-02-10", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0527 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0524 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0553 vom 2022-02-15", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0661 vom 2022-02-23", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9419 vom 2022-05-23", "url": "https://linux.oracle.com/errata/ELSA-2022-9419.html" }, { "category": "external", "summary": "IBM Security Bulletin 6563561 vom 2022-03-16", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6565387 vom 2022-03-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-service-registry-and-repository-cve-2021-4104/" }, { "category": "external", "summary": "HCL Article KB0097470 vom 2022-03-25", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097470" }, { "category": "external", "summary": "HCL Article KB0096807 vom 2022-03-29", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0096807" }, { "category": "external", "summary": "IBM Security Bulletin", "url": "https://www.ibm.com/support/pages/node/6569189" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1296 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1297 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1299 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "HCL Article KB0097639 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097639" }, { "category": "external", "summary": "HCL Article KB0097650 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2022-022 vom 2022-04-25", "url": "https://downloads.avaya.com/css/P8/documents/101081577" }, { "category": "external", "summary": "HCL Article KB0097787 vom 2022-04-28", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097787" }, { "category": "external", "summary": "IBM Security Bulletin 6575541 vom 2022-04-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5460 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5458 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5459 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "HCL Article KB0099671 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099671" }, { "category": "external", "summary": "HCL Article KB0099128 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099128" }, { "category": "external", "summary": "HCL Article KB0099131 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099131" }, { "category": "external", "summary": "HCL Article KB0099667 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099667" }, { "category": "external", "summary": "HCL Article KB0099669 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099669" }, { "category": "external", "summary": "HCL Article KB0100505 vom 2022-09-21", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100505" }, { "category": "external", "summary": "IBM Security Bulletin 6829357 vom 2022-10-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version-2/" }, { "category": "external", "summary": "IBM Security Bulletin 6831267 vom 2022-10-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-is-affected-by-log4j-vulnerability-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6832160 vom 2022-10-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-qradar-siem-is-vulnerable-to-arbitrary-code-execution-cve-2019-17571-cve-2021-44832-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 7009621 vom 2023-07-25", "url": "https://www.ibm.com/support/pages/node/7014395" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://www.cybersecurity-help.cz/vdb/SB2023122213" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://security.gentoo.org/glsa/202312-04" }, { "category": "external", "summary": "IBM Security Bulletin vom 2023-10-27", "url": "https://www.ibm.com/support/pages/node/7060803" }, { "category": "external", "summary": "IBM Security Bulletin 7152257 vom 2024-05-15", "url": "https://www.ibm.com/support/pages/node/7152257" } ], "source_lang": "en-US", "title": "Apache log4j: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode", "tracking": { "current_release_date": "2024-05-14T22:00:00.000+00:00", "generator": { "date": "2024-08-15T17:29:46.074+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2022-0520", "initial_release_date": "2021-12-15T23:00:00.000+00:00", "revision_history": [ { "date": "2021-12-15T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-12-16T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Atlassian, Red Hat, Unify und IBM aufgenommen" }, { "date": "2021-12-19T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von HCL, IBM und SUSE aufgenommen" }, { "date": "2021-12-20T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2021-12-21T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von IBM und CentOS aufgenommen" }, { "date": "2021-12-22T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE, IBM und Red Hat aufgenommen" }, { "date": "2021-12-26T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-09T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von EMC und HP aufgenommen" }, { "date": "2022-01-10T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-12T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Juniper aufgenommen" }, { "date": "2022-01-13T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2022-01-16T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-18T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Unify aufgenommen" }, { "date": "2022-01-19T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Amazon und SUSE aufgenommen" }, { "date": "2022-01-20T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-26T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2022-01-27T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Oracle Linux und Amazon aufgenommen" }, { "date": "2022-01-30T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-31T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2022-02-03T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Red Hat und IBM aufgenommen" }, { "date": "2022-02-07T23:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-08T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-09T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Red Hat und SUSE aufgenommen" }, { "date": "2022-02-10T23:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-14T23:00:00.000+00:00", "number": "26", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-15T23:00:00.000+00:00", "number": "27", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-23T23:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-03-15T23:00:00.000+00:00", "number": "29", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-22T23:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-24T23:00:00.000+00:00", "number": "31", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-03-29T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-04T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-11T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-04-24T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-26T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2022-04-27T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von HCL und IBM aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-23T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-06-30T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-07-24T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-08-14T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-09-20T22:00:00.000+00:00", "number": "43", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-10-16T22:00:00.000+00:00", "number": "44", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-23T22:00:00.000+00:00", "number": "45", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-26T22:00:00.000+00:00", "number": "46", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-07-24T22:00:00.000+00:00", "number": "47", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-10-29T23:00:00.000+00:00", "number": "48", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-12-21T23:00:00.000+00:00", "number": "49", "summary": "Neue Updates von Gentoo aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "50", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "50" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "1.2", "product": { "name": "Apache log4j 1.2", "product_id": "T021343", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:1.2" } } }, { "category": "product_version_range", "name": "\u003c2", "product": { "name": "Apache log4j \u003c2", "product_id": "T021344" } } ], "category": "product_name", "name": "log4j" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "category": "product_name", "name": "Atlassian Bitbucket", "product": { "name": "Atlassian Bitbucket", "product_id": "T021356", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:-" } } } ], "category": "vendor", "name": "Atlassian" }, { "branches": [ { "category": "product_name", "name": "Avaya Aura Application Enablement Services", "product": { "name": "Avaya Aura Application Enablement Services", "product_id": "T015516", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_application_enablement_services:-" } } }, { "category": "product_name", "name": "Avaya Aura Communication Manager", "product": { "name": "Avaya Aura Communication Manager", "product_id": "T015126", "product_identification_helper": { "cpe": "cpe:/a:avaya:communication_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura Experience Portal", "product": { "name": "Avaya Aura Experience Portal", "product_id": "T015519", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_experience_portal:-" } } }, { "category": "product_name", "name": "Avaya Aura Session Manager", "product": { "name": "Avaya Aura Session Manager", "product_id": "T015127", "product_identification_helper": { "cpe": "cpe:/a:avaya:session_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura System Manager", "product": { "name": "Avaya Aura System Manager", "product_id": "T015518", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_system_manager:-" } } }, { "category": "product_name", "name": "Avaya Web License Manager", "product": { "name": "Avaya Web License Manager", "product_id": "T016243", "product_identification_helper": { "cpe": "cpe:/a:avaya:web_license_manager:-" } } }, { "category": "product_name", "name": "Avaya one-X", "product": { "name": "Avaya one-X", "product_id": "1024", "product_identification_helper": { "cpe": "cpe:/a:avaya:one-x:-" } } } ], "category": "vendor", "name": "Avaya" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "EMC Data Domain", "product": { "name": "EMC Data Domain", "product_id": "T021496", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain:-" } } }, { "category": "product_name", "name": "EMC Data Domain OS", "product": { "name": "EMC Data Domain OS", "product_id": "T006099", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain_os:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "category": "product_name", "name": "HCL Commerce", "product": { "name": "HCL Commerce", "product_id": "T019293", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } } ], "category": "vendor", "name": "HCL" }, { "branches": [ { "category": "product_name", "name": "IBM DB2", "product": { "name": "IBM DB2", "product_id": "5104", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:-" } } }, { "category": "product_name", "name": "IBM Data Studio", "product": { "name": "IBM Data Studio", "product_id": "T021807", "product_identification_helper": { "cpe": "cpe:/a:ibm:data_studio:-" } } }, { "category": "product_name", "name": "IBM InfoSphere Data Replication", "product": { "name": "IBM InfoSphere Data Replication", "product_id": "T021399", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_data_replication:-" } } }, { "branches": [ { "category": "product_version", "name": "11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category": "product_name", "name": "InfoSphere Information Server" }, { "branches": [ { "category": "product_version", "name": "Dynamic Server", "product": { "name": "IBM Informix Dynamic Server", "product_id": "T021953", "product_identification_helper": { "cpe": "cpe:/a:ibm:informix:::dynamic_server" } } } ], "category": "product_name", "name": "Informix" }, { "category": "product_name", "name": "IBM Integration Bus", "product": { "name": "IBM Integration Bus", "product_id": "T011169", "product_identification_helper": { "cpe": "cpe:/a:ibm:integration_bus:-" } } }, { "branches": [ { "category": "product_version", "name": "7.6.1.2", "product": { "name": "IBM Maximo Asset Management 7.6.1.2", "product_id": "812526", "product_identification_helper": { "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1.2" } } } ], "category": "product_name", "name": "Maximo Asset Management" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version", "name": "7.5.0", "product": { "name": "IBM QRadar SIEM 7.5.0", "product_id": "T023574", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0" } } }, { "category": "product_version", "name": "7.4", "product": { "name": "IBM QRadar SIEM 7.4", "product_id": "T024775", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.4" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "category": "product_name", "name": "IBM SPSS", "product": { "name": "IBM SPSS", "product_id": "T013570", "product_identification_helper": { "cpe": "cpe:/a:ibm:spss:-" } } }, { "category": "product_name", "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product": { "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product_id": "T006523", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_access_manager_for_enterprise_single_sign_on:-" } } }, { "category": "product_name", "name": "IBM Security Guardium", "product": { "name": "IBM Security Guardium", "product_id": "T021345", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:-" } } }, { "branches": [ { "category": "product_version", "name": "6.0.2", "product": { "name": "IBM Security Identity Manager 6.0.2", "product_id": "976243", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_identity_manager:6.0.2" } } } ], "category": "product_name", "name": "Security Identity Manager" }, { "category": "product_name", "name": "IBM Spectrum Scale", "product": { "name": "IBM Spectrum Scale", "product_id": "T019402", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:-" } } }, { "category": "product_name", "name": "IBM Tivoli Netcool/OMNIbus", "product": { "name": "IBM Tivoli Netcool/OMNIbus", "product_id": "T004181", "product_identification_helper": { "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-" } } }, { "branches": [ { "category": "product_version", "name": "8.5.x", "product": { "name": "IBM WebSphere Service Registry and Repository 8.5.x", "product_id": "T022377", "product_identification_helper": { "cpe": "cpe:/a:ibm:websphere_service_registry_and_repository:8.5.x" } } } ], "category": "product_name", "name": "WebSphere Service Registry and Repository" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper Junos Space", "product": { "name": "Juniper Junos Space", "product_id": "T003343", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "category": "product_name", "name": "Open Source CentOS", "product": { "name": "Open Source CentOS", "product_id": "1727", "product_identification_helper": { "cpe": "cpe:/o:centos:centos:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle E-Business Suite", "product": { "name": "Oracle E-Business Suite", "product_id": "8311", "product_identification_helper": { "cpe": "cpe:/a:oracle:e-business_suite:-" } } }, { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "8", "product": { "name": "Red Hat Enterprise Linux 8", "product_id": "T014111", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "4", "product": { "name": "Red Hat OpenShift 4", "product_id": "T018720", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4" } } }, { "category": "product_version", "name": "4.8", "product": { "name": "Red Hat OpenShift 4.8", "product_id": "T020020", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.8" } } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "category": "product_name", "name": "Unify OpenScape 4000", "product": { "name": "Unify OpenScape 4000", "product_id": "T018011", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_4000:-" } } }, { "category": "product_name", "name": "Unify OpenScape Branch", "product": { "name": "Unify OpenScape Branch", "product_id": "T018258", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_branch:-" } } }, { "category": "product_name", "name": "Unify OpenScape Contact Center", "product": { "name": "Unify OpenScape Contact Center", "product_id": "T008876", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_contact_center:-" } } }, { "category": "product_name", "name": "Unify OpenScape Deployment Service (DLS)", "product": { "name": "Unify OpenScape Deployment Service (DLS)", "product_id": "T015711", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_deployment_service:-" } } }, { "category": "product_name", "name": "Unify OpenScape Mediaserver", "product": { "name": "Unify OpenScape Mediaserver", "product_id": "T018253", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_mediaserver:-" } } }, { "category": "product_name", "name": "Unify OpenScape UC Application", "product": { "name": "Unify OpenScape UC Application", "product_id": "T015712", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_uc_application:-" } } }, { "category": "product_name", "name": "Unify OpenScape Voice", "product": { "name": "Unify OpenScape Voice", "product_id": "T008873", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_voice:-" } } }, { "category": "product_name", "name": "Unify OpenScape Xpert", "product": { "name": "Unify OpenScape Xpert", "product_id": "T018014", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_xpert:-" } } } ], "category": "vendor", "name": "Unify" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Apache log4j aufgrund einer Deserialisierung von nicht vertrauensw\u00fcrdigen Daten, wenn der Angreifer Schreibzugriff auf die Log4j-Konfiguration hat und wenn die eingesetzte Anwendung f\u00fcr die Verwendung von JMSAppender konfiguriert ist. Ein entfernter authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle ausnutzen, um beliebigen Code auf dem System auszuf\u00fchren." } ], "product_status": { "known_affected": [ "T008876", "T008873", "T003343", "T011169", "T015127", "T019293", "T015126", "T004914", "T014111", "T021807", "T018720", "812526", "398363", "T021496", "T006099", "T015519", "T015518", "T006523", "T015516", "T015712", "T015711", "T012167", "T018011", "T018253", "T013570", "T016243", "T018014", "T022954", "T018258", "T021345", "2951", "T002207", "1024", "444803", "5104", "T004181", "T024775", "T021343", "976243", "8311", "T021356", "T021399", "T021953", "T023574", "T020020", "T019402", "T000126", "T022377", "1727" ] }, "release_date": "2021-12-15T23:00:00.000+00:00", "title": "CVE-2021-4104" } ] }
WID-SEC-W-2023-0063
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Junos Space ist eine Software-Plattform, die eine Reihe von Applikationen f\u00fcr das Netzwerkmanagement beinhaltet.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Juniper Junos Space ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern.", "title": "Angriff" }, { "category": "general", "text": "- Juniper Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0063 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0063.json" }, { "category": "self", "summary": "WID-SEC-2023-0063 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0063" }, { "category": "external", "summary": "Juniper Security Advisory JSA70182 vom 2023-01-12", "url": "https://supportportal.juniper.net/s/article/2023-01-Security-Bulletin-Contrail-Service-Orchestration-Multiple-vulnerabilities-resolved-in-CSO-6-3-0?language=en_US" }, { "category": "external", "summary": "Juniper Security Advisory vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" } ], "source_lang": "en-US", "title": "Juniper Junos Space: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-01-11T23:00:00.000+00:00", "generator": { "date": "2024-08-15T17:41:07.526+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-0063", "initial_release_date": "2022-01-12T23:00:00.000+00:00", "revision_history": [ { "date": "2022-01-12T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-01-11T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Juniper aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Juniper Contrail Service Orchestration", "product": { "name": "Juniper Contrail Service Orchestration", "product_id": "T025794", "product_identification_helper": { "cpe": "cpe:/a:juniper:contrail_service_orchestration:-" } } }, { "category": "product_name", "name": "Juniper Junos Space \u003c 21.3R1", "product": { "name": "Juniper Junos Space \u003c 21.3R1", "product_id": "T021576", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:21.3r1" } } } ], "category": "vendor", "name": "Juniper" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2019-17543" }, { "cve": "CVE-2019-20934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2019-20934" }, { "cve": "CVE-2020-0543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0543" }, { "cve": "CVE-2020-0548", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0548" }, { "cve": "CVE-2020-0549", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-0549" }, { "cve": "CVE-2020-11022", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11022" }, { "cve": "CVE-2020-11023", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11023" }, { "cve": "CVE-2020-11668", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11668" }, { "cve": "CVE-2020-11984", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11984" }, { "cve": "CVE-2020-11993", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-11993" }, { "cve": "CVE-2020-12362", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12362" }, { "cve": "CVE-2020-12363", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12363" }, { "cve": "CVE-2020-12364", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-12364" }, { "cve": "CVE-2020-1927", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-1927" }, { "cve": "CVE-2020-1934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-1934" }, { "cve": "CVE-2020-24489", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24489" }, { "cve": "CVE-2020-24511", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24511" }, { "cve": "CVE-2020-24512", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-24512" }, { "cve": "CVE-2020-27170", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-27170" }, { "cve": "CVE-2020-27777", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-27777" }, { "cve": "CVE-2020-29443", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-29443" }, { "cve": "CVE-2020-8625", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8625" }, { "cve": "CVE-2020-8648", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8648" }, { "cve": "CVE-2020-8695", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8695" }, { "cve": "CVE-2020-8696", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8696" }, { "cve": "CVE-2020-8698", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-8698" }, { "cve": "CVE-2020-9490", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2020-9490" }, { "cve": "CVE-2021-20254", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-20254" }, { "cve": "CVE-2021-22555", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-22555" }, { "cve": "CVE-2021-22901", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-22901" }, { "cve": "CVE-2021-2341", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2341" }, { "cve": "CVE-2021-2342", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2342" }, { "cve": "CVE-2021-2356", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2356" }, { "cve": "CVE-2021-2369", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2369" }, { "cve": "CVE-2021-2372", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2372" }, { "cve": "CVE-2021-2385", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2385" }, { "cve": "CVE-2021-2388", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2388" }, { "cve": "CVE-2021-2389", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2389" }, { "cve": "CVE-2021-2390", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-2390" }, { "cve": "CVE-2021-25214", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25217", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-25217" }, { "cve": "CVE-2021-27219", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-27219" }, { "cve": "CVE-2021-29154", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-29154" }, { "cve": "CVE-2021-29650", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-29650" }, { "cve": "CVE-2021-31535", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-31535" }, { "cve": "CVE-2021-32399", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-32399" }, { "cve": "CVE-2021-33033", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33033" }, { "cve": "CVE-2021-33034", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33034" }, { "cve": "CVE-2021-3347", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3347" }, { "cve": "CVE-2021-33909", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-33909" }, { "cve": "CVE-2021-3653", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3653" }, { "cve": "CVE-2021-3656", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3656" }, { "cve": "CVE-2021-3715", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-3715" }, { "cve": "CVE-2021-37576", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-37576" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-42550", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-42550" }, { "cve": "CVE-2021-44228", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-44228" }, { "cve": "CVE-2021-45046", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00.000+00:00", "title": "CVE-2021-45046" } ] }
wid-sec-w-2022-0520
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache log4j ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Appliance\n- Juniper Appliance\n- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0520 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0520.json" }, { "category": "self", "summary": "WID-SEC-2022-0520 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0520" }, { "category": "external", "summary": "NVD NIST vom 2021-12-15", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "IBM Security Advisory vom 2021-12-15", "url": "https://www.ibm.com/support/pages/node/6526432" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5148 vom 2021-12-15", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4096-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4097-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009912.html" }, { "category": "external", "summary": "Atlassian Security Advisory - Log4j", "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5186 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "IBM Security Bulletin 6527226 vom 2021-12-17", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5183 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5184 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5141 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5107 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "Log4j Vulnerabilities Impact On Oracle E-Business Suite Analysis", "url": "https://www.integrigy.com/security-resources/log4j-vulnerabilities-impact-oracle-e-business-suite-analysis" }, { "category": "external", "summary": "Atos Security Advisory Report - OBSO-2112-01", "url": "https://networks.unify.com/security/advisories/OBSO-2112-01.pdf" }, { "category": "external", "summary": "HCL Article KB0095587 vom 2021-12-17", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095587" }, { "category": "external", "summary": "IBM Security Bulletin 6527952 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-affects-ibm-spss-statistics-cve-2021-4104/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4112-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009916.html" }, { "category": "external", "summary": "IBM Security Bulletin 6527834 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-4104-affects-infosphere-data-replication/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4115-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009918.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4111-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009917.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:14866-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009915.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5206 vom 2021-12-20", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-5206 vom 2021-12-21", "url": "https://linux.oracle.com/errata/ELSA-2021-5206.html" }, { "category": "external", "summary": "IBM Security Bulletin 6528678 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6529056 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-and-ibm-integration-bus-cve-2021-4104/" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2021:5206 vom 2021-12-21", "url": "https://lists.centos.org/pipermail/centos-announce/2021-December/060975.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4160-1 vom 2021-12-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009934.html" }, { "category": "external", "summary": "IBM Security Bulletin 6536868 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-apache-log4j-shipped-with-ibm-tivoli-netcool-omnibus-common-integration-libraries-cve-2021-4104-cve-2021-45046-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5269 vom 2021-12-23", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4190-1 vom 2021-12-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009943.html" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-274 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194503/dsa-2021-274-dell-emc-data-domain-security-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "HPE Security Bulletin HPESBGN04215 rev.10 vom 2022-01-08", "url": "https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739\u0026elq_cid=67018031\u0026docId=hpesbgn04215en_us" }, { "category": "external", "summary": "IBM Security Bulletin 6539408 vom 2022-01-11", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-the-ibm-websphere-application-server-and-ibm-security-guardium-key-lifecycle-manager-cve-2021-4104-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "Juniper Security Bulletin JSA11287 vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5223-1 vom 2022-01-13", "url": "https://ubuntu.com/security/notices/USN-5223-1" }, { "category": "external", "summary": "IBM Security Bulletin 6540892 vom 2022-01-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-spss-analytic-server-cve-2021-4104/" }, { "category": "external", "summary": "Unify Security Advisory Report OBSO-2201-01 vom 2022-01-18", "url": "https://networks.unify.com/security/advisories/OBSO-2201-01.pdf" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1562 vom 2022-01-20", "url": "https://alas.aws.amazon.com/ALAS-2022-1562.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0126-1 vom 2022-01-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010026.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0133-1 vom 2022-01-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010032.html" }, { "category": "external", "summary": "IBM Security Bulletin 6550448 vom 2022-01-25", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-data-studio-client-cve-2021-4104/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0291 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0289 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0294 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9056 vom 2022-01-26", "url": "https://linux.oracle.com/errata/ELSA-2022-9056.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0290 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0290 vom 2022-01-27", "url": "http://linux.oracle.com/errata/ELSA-2022-0290.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1739 vom 2022-01-27", "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1739.html" }, { "category": "external", "summary": "IBM Security Bulletin 6551880 vom 2022-01-29", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-scale-cve-2021-4104/" }, { "category": "external", "summary": "Debian Security Advisory DLA-2905 vom 2022-01-31", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00033.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0436 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "IBM Security Bulletin 6553622 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228-3/" }, { "category": "external", "summary": "IBM Security Bulletin 6553626 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2021-44228-in-ibm-informix-dynamic-server-in-cloud-pak-for-data-2/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0438 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0430 vom 2022-02-03", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0435 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0437 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0450 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0445 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0448 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0449 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0446 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0447 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0444 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0475 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0497 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0354-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010195.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0355-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010196.html" }, { "category": "external", "summary": "HCL Article KB0097471 vom 2022-05-18", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097471" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0507 vom 2022-02-10", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0527 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0524 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0553 vom 2022-02-15", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0661 vom 2022-02-23", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9419 vom 2022-05-23", "url": "https://linux.oracle.com/errata/ELSA-2022-9419.html" }, { "category": "external", "summary": "IBM Security Bulletin 6563561 vom 2022-03-16", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6565387 vom 2022-03-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-service-registry-and-repository-cve-2021-4104/" }, { "category": "external", "summary": "HCL Article KB0097470 vom 2022-03-25", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097470" }, { "category": "external", "summary": "HCL Article KB0096807 vom 2022-03-29", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0096807" }, { "category": "external", "summary": "IBM Security Bulletin", "url": "https://www.ibm.com/support/pages/node/6569189" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1296 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1297 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1299 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "HCL Article KB0097639 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097639" }, { "category": "external", "summary": "HCL Article KB0097650 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2022-022 vom 2022-04-25", "url": "https://downloads.avaya.com/css/P8/documents/101081577" }, { "category": "external", "summary": "HCL Article KB0097787 vom 2022-04-28", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097787" }, { "category": "external", "summary": "IBM Security Bulletin 6575541 vom 2022-04-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5460 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5458 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5459 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "HCL Article KB0099671 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099671" }, { "category": "external", "summary": "HCL Article KB0099128 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099128" }, { "category": "external", "summary": "HCL Article KB0099131 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099131" }, { "category": "external", "summary": "HCL Article KB0099667 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099667" }, { "category": "external", "summary": "HCL Article KB0099669 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099669" }, { "category": "external", "summary": "HCL Article KB0100505 vom 2022-09-21", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100505" }, { "category": "external", "summary": "IBM Security Bulletin 6829357 vom 2022-10-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version-2/" }, { "category": "external", "summary": "IBM Security Bulletin 6831267 vom 2022-10-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-is-affected-by-log4j-vulnerability-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6832160 vom 2022-10-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-qradar-siem-is-vulnerable-to-arbitrary-code-execution-cve-2019-17571-cve-2021-44832-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 7009621 vom 2023-07-25", "url": "https://www.ibm.com/support/pages/node/7014395" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://www.cybersecurity-help.cz/vdb/SB2023122213" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://security.gentoo.org/glsa/202312-04" }, { "category": "external", "summary": "IBM Security Bulletin vom 2023-10-27", "url": "https://www.ibm.com/support/pages/node/7060803" }, { "category": "external", "summary": "IBM Security Bulletin 7152257 vom 2024-05-15", "url": "https://www.ibm.com/support/pages/node/7152257" } ], "source_lang": "en-US", "title": "Apache log4j: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode", "tracking": { "current_release_date": "2024-05-14T22:00:00.000+00:00", "generator": { "date": "2024-08-15T17:29:46.074+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2022-0520", "initial_release_date": "2021-12-15T23:00:00.000+00:00", "revision_history": [ { "date": "2021-12-15T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-12-16T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Atlassian, Red Hat, Unify und IBM aufgenommen" }, { "date": "2021-12-19T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von HCL, IBM und SUSE aufgenommen" }, { "date": "2021-12-20T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2021-12-21T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von IBM und CentOS aufgenommen" }, { "date": "2021-12-22T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE, IBM und Red Hat aufgenommen" }, { "date": "2021-12-26T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-09T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von EMC und HP aufgenommen" }, { "date": "2022-01-10T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-12T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Juniper aufgenommen" }, { "date": "2022-01-13T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2022-01-16T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-18T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Unify aufgenommen" }, { "date": "2022-01-19T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Amazon und SUSE aufgenommen" }, { "date": "2022-01-20T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-26T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2022-01-27T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Oracle Linux und Amazon aufgenommen" }, { "date": "2022-01-30T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-31T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2022-02-03T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Red Hat und IBM aufgenommen" }, { "date": "2022-02-07T23:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-08T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-09T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Red Hat und SUSE aufgenommen" }, { "date": "2022-02-10T23:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-14T23:00:00.000+00:00", "number": "26", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-15T23:00:00.000+00:00", "number": "27", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-23T23:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-03-15T23:00:00.000+00:00", "number": "29", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-22T23:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-24T23:00:00.000+00:00", "number": "31", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-03-29T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-04T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-11T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-04-24T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-26T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2022-04-27T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von HCL und IBM aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-23T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-06-30T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-07-24T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-08-14T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-09-20T22:00:00.000+00:00", "number": "43", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-10-16T22:00:00.000+00:00", "number": "44", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-23T22:00:00.000+00:00", "number": "45", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-26T22:00:00.000+00:00", "number": "46", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-07-24T22:00:00.000+00:00", "number": "47", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-10-29T23:00:00.000+00:00", "number": "48", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-12-21T23:00:00.000+00:00", "number": "49", "summary": "Neue Updates von Gentoo aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "50", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "50" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "1.2", "product": { "name": "Apache log4j 1.2", "product_id": "T021343", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:1.2" } } }, { "category": "product_version_range", "name": "\u003c2", "product": { "name": "Apache log4j \u003c2", "product_id": "T021344" } } ], "category": "product_name", "name": "log4j" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "category": "product_name", "name": "Atlassian Bitbucket", "product": { "name": "Atlassian Bitbucket", "product_id": "T021356", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:-" } } } ], "category": "vendor", "name": "Atlassian" }, { "branches": [ { "category": "product_name", "name": "Avaya Aura Application Enablement Services", "product": { "name": "Avaya Aura Application Enablement Services", "product_id": "T015516", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_application_enablement_services:-" } } }, { "category": "product_name", "name": "Avaya Aura Communication Manager", "product": { "name": "Avaya Aura Communication Manager", "product_id": "T015126", "product_identification_helper": { "cpe": "cpe:/a:avaya:communication_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura Experience Portal", "product": { "name": "Avaya Aura Experience Portal", "product_id": "T015519", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_experience_portal:-" } } }, { "category": "product_name", "name": "Avaya Aura Session Manager", "product": { "name": "Avaya Aura Session Manager", "product_id": "T015127", "product_identification_helper": { "cpe": "cpe:/a:avaya:session_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura System Manager", "product": { "name": "Avaya Aura System Manager", "product_id": "T015518", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_system_manager:-" } } }, { "category": "product_name", "name": "Avaya Web License Manager", "product": { "name": "Avaya Web License Manager", "product_id": "T016243", "product_identification_helper": { "cpe": "cpe:/a:avaya:web_license_manager:-" } } }, { "category": "product_name", "name": "Avaya one-X", "product": { "name": "Avaya one-X", "product_id": "1024", "product_identification_helper": { "cpe": "cpe:/a:avaya:one-x:-" } } } ], "category": "vendor", "name": "Avaya" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "EMC Data Domain", "product": { "name": "EMC Data Domain", "product_id": "T021496", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain:-" } } }, { "category": "product_name", "name": "EMC Data Domain OS", "product": { "name": "EMC Data Domain OS", "product_id": "T006099", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain_os:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "category": "product_name", "name": "HCL Commerce", "product": { "name": "HCL Commerce", "product_id": "T019293", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } } ], "category": "vendor", "name": "HCL" }, { "branches": [ { "category": "product_name", "name": "IBM DB2", "product": { "name": "IBM DB2", "product_id": "5104", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:-" } } }, { "category": "product_name", "name": "IBM Data Studio", "product": { "name": "IBM Data Studio", "product_id": "T021807", "product_identification_helper": { "cpe": "cpe:/a:ibm:data_studio:-" } } }, { "category": "product_name", "name": "IBM InfoSphere Data Replication", "product": { "name": "IBM InfoSphere Data Replication", "product_id": "T021399", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_data_replication:-" } } }, { "branches": [ { "category": "product_version", "name": "11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category": "product_name", "name": "InfoSphere Information Server" }, { "branches": [ { "category": "product_version", "name": "Dynamic Server", "product": { "name": "IBM Informix Dynamic Server", "product_id": "T021953", "product_identification_helper": { "cpe": "cpe:/a:ibm:informix:::dynamic_server" } } } ], "category": "product_name", "name": "Informix" }, { "category": "product_name", "name": "IBM Integration Bus", "product": { "name": "IBM Integration Bus", "product_id": "T011169", "product_identification_helper": { "cpe": "cpe:/a:ibm:integration_bus:-" } } }, { "branches": [ { "category": "product_version", "name": "7.6.1.2", "product": { "name": "IBM Maximo Asset Management 7.6.1.2", "product_id": "812526", "product_identification_helper": { "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1.2" } } } ], "category": "product_name", "name": "Maximo Asset Management" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version", "name": "7.5.0", "product": { "name": "IBM QRadar SIEM 7.5.0", "product_id": "T023574", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0" } } }, { "category": "product_version", "name": "7.4", "product": { "name": "IBM QRadar SIEM 7.4", "product_id": "T024775", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.4" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "category": "product_name", "name": "IBM SPSS", "product": { "name": "IBM SPSS", "product_id": "T013570", "product_identification_helper": { "cpe": "cpe:/a:ibm:spss:-" } } }, { "category": "product_name", "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product": { "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product_id": "T006523", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_access_manager_for_enterprise_single_sign_on:-" } } }, { "category": "product_name", "name": "IBM Security Guardium", "product": { "name": "IBM Security Guardium", "product_id": "T021345", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:-" } } }, { "branches": [ { "category": "product_version", "name": "6.0.2", "product": { "name": "IBM Security Identity Manager 6.0.2", "product_id": "976243", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_identity_manager:6.0.2" } } } ], "category": "product_name", "name": "Security Identity Manager" }, { "category": "product_name", "name": "IBM Spectrum Scale", "product": { "name": "IBM Spectrum Scale", "product_id": "T019402", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:-" } } }, { "category": "product_name", "name": "IBM Tivoli Netcool/OMNIbus", "product": { "name": "IBM Tivoli Netcool/OMNIbus", "product_id": "T004181", "product_identification_helper": { "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-" } } }, { "branches": [ { "category": "product_version", "name": "8.5.x", "product": { "name": "IBM WebSphere Service Registry and Repository 8.5.x", "product_id": "T022377", "product_identification_helper": { "cpe": "cpe:/a:ibm:websphere_service_registry_and_repository:8.5.x" } } } ], "category": "product_name", "name": "WebSphere Service Registry and Repository" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper Junos Space", "product": { "name": "Juniper Junos Space", "product_id": "T003343", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "category": "product_name", "name": "Open Source CentOS", "product": { "name": "Open Source CentOS", "product_id": "1727", "product_identification_helper": { "cpe": "cpe:/o:centos:centos:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle E-Business Suite", "product": { "name": "Oracle E-Business Suite", "product_id": "8311", "product_identification_helper": { "cpe": "cpe:/a:oracle:e-business_suite:-" } } }, { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "8", "product": { "name": "Red Hat Enterprise Linux 8", "product_id": "T014111", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "4", "product": { "name": "Red Hat OpenShift 4", "product_id": "T018720", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4" } } }, { "category": "product_version", "name": "4.8", "product": { "name": "Red Hat OpenShift 4.8", "product_id": "T020020", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.8" } } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "category": "product_name", "name": "Unify OpenScape 4000", "product": { "name": "Unify OpenScape 4000", "product_id": "T018011", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_4000:-" } } }, { "category": "product_name", "name": "Unify OpenScape Branch", "product": { "name": "Unify OpenScape Branch", "product_id": "T018258", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_branch:-" } } }, { "category": "product_name", "name": "Unify OpenScape Contact Center", "product": { "name": "Unify OpenScape Contact Center", "product_id": "T008876", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_contact_center:-" } } }, { "category": "product_name", "name": "Unify OpenScape Deployment Service (DLS)", "product": { "name": "Unify OpenScape Deployment Service (DLS)", "product_id": "T015711", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_deployment_service:-" } } }, { "category": "product_name", "name": "Unify OpenScape Mediaserver", "product": { "name": "Unify OpenScape Mediaserver", "product_id": "T018253", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_mediaserver:-" } } }, { "category": "product_name", "name": "Unify OpenScape UC Application", "product": { "name": "Unify OpenScape UC Application", "product_id": "T015712", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_uc_application:-" } } }, { "category": "product_name", "name": "Unify OpenScape Voice", "product": { "name": "Unify OpenScape Voice", "product_id": "T008873", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_voice:-" } } }, { "category": "product_name", "name": "Unify OpenScape Xpert", "product": { "name": "Unify OpenScape Xpert", "product_id": "T018014", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_xpert:-" } } } ], "category": "vendor", "name": "Unify" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Apache log4j aufgrund einer Deserialisierung von nicht vertrauensw\u00fcrdigen Daten, wenn der Angreifer Schreibzugriff auf die Log4j-Konfiguration hat und wenn die eingesetzte Anwendung f\u00fcr die Verwendung von JMSAppender konfiguriert ist. Ein entfernter authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle ausnutzen, um beliebigen Code auf dem System auszuf\u00fchren." } ], "product_status": { "known_affected": [ "T008876", "T008873", "T003343", "T011169", "T015127", "T019293", "T015126", "T004914", "T014111", "T021807", "T018720", "812526", "398363", "T021496", "T006099", "T015519", "T015518", "T006523", "T015516", "T015712", "T015711", "T012167", "T018011", "T018253", "T013570", "T016243", "T018014", "T022954", "T018258", "T021345", "2951", "T002207", "1024", "444803", "5104", "T004181", "T024775", "T021343", "976243", "8311", "T021356", "T021399", "T021953", "T023574", "T020020", "T019402", "T000126", "T022377", "1727" ] }, "release_date": "2021-12-15T23:00:00.000+00:00", "title": "CVE-2021-4104" } ] }
wid-sec-w-2023-1807
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1807 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json" }, { "category": "self", "summary": "WID-SEC-2023-1807 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18", "url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW" }, { "category": "external", "summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23", "url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=" } ], "source_lang": "en-US", "title": "Oracle Fusion Middleware: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-26T23:00:00.000+00:00", "generator": { "date": "2024-08-15T17:55:51.397+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-1807", "initial_release_date": "2023-07-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-07-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-12-26T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Dell aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.3.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.3.0", "product_id": "618028", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.4.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.4.0", "product_id": "751674", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 14.1.1.0.0", "product": { "name": "Oracle Fusion Middleware 14.1.1.0.0", "product_id": "829576", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 9.1.0", "product": { "name": "Oracle Fusion Middleware 9.1.0", "product_id": "T022847", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:9.1.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product": { "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product_id": "T028708", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:11.1.2.3.1" } } } ], "category": "product_name", "name": "Fusion Middleware" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-26119", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-26119" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-23914", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-23914" }, { "cve": "CVE-2023-22899", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22899" }, { "cve": "CVE-2023-22040", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22040" }, { "cve": "CVE-2023-22031", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-22031" }, { "cve": "CVE-2023-21994", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-21994" }, { "cve": "CVE-2023-20863", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20863" }, { "cve": "CVE-2023-20861", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20861" }, { "cve": "CVE-2023-20860", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-20860" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-1370" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41853", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-41853" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-33879", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-33879" }, { "cve": "CVE-2022-31197", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-31197" }, { "cve": "CVE-2022-29546", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-29546" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-24409", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-24409" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2022-23437" }, { "cve": "CVE-2021-46877", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-46877" }, { "cve": "CVE-2021-43113", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-43113" }, { "cve": "CVE-2021-42575", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-42575" }, { "cve": "CVE-2021-41184", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-41184" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-36090", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-36090" }, { "cve": "CVE-2021-34429", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-34429" }, { "cve": "CVE-2021-33813", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-33813" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-28168", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-28168" }, { "cve": "CVE-2021-26117", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-26117" }, { "cve": "CVE-2021-23926", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-23926" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-17521", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-17521" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2020-13936" } ] }
opensuse-su-2021:4112-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j12", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j12 fixes the following issues:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-SLE-15.3-2021-4112", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_4112-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2021:4112-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U355AEBE4AWYTPUPBMC3XAO6XBTWFRBL/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2021:4112-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U355AEBE4AWYTPUPBMC3XAO6XBTWFRBL/" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j12", "tracking": { "current_release_date": "2021-12-17T11:19:37Z", "generator": { "date": "2021-12-17T11:19:37Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2021:4112-1", "initial_release_date": "2021-12-17T11:19:37Z", "revision_history": [ { "date": "2021-12-17T11:19:37Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j12-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-1.2.17-4.3.1.noarch", "product_id": "log4j12-1.2.17-4.3.1.noarch" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-javadoc-1.2.17-4.3.1.noarch", "product_id": "log4j12-javadoc-1.2.17-4.3.1.noarch" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-manual-1.2.17-4.3.1.noarch", "product_id": "log4j12-manual-1.2.17-4.3.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "openSUSE Leap 15.3", "product": { "name": "openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.3" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-4.3.1.noarch as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:log4j12-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-1.2.17-4.3.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-4.3.1.noarch as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:log4j12-javadoc-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-javadoc-1.2.17-4.3.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-4.3.1.noarch as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:log4j12-manual-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-manual-1.2.17-4.3.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.3:log4j12-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-javadoc-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-manual-1.2.17-4.3.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.3:log4j12-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-javadoc-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-manual-1.2.17-4.3.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.3:log4j12-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-javadoc-1.2.17-4.3.1.noarch", "openSUSE Leap 15.3:log4j12-manual-1.2.17-4.3.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T11:19:37Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
opensuse-su-2021:1631-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for kafka", "title": "Title of the patch" }, { "category": "description", "text": "\nThis security update of kafka fixes the following issue:\n\n- CVE-2021-4104: Remove JMSAppender from log4j jars during build to prevent bsc#1193662, \n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2021-1631", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1631-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2021:1631-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BQ3YNECTWF6XMIQDZ7C5QEDQ3QPQT4W/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2021:1631-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BQ3YNECTWF6XMIQDZ7C5QEDQ3QPQT4W/" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for kafka", "tracking": { "current_release_date": "2021-12-28T02:33:02Z", "generator": { "date": "2021-12-28T02:33:02Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2021:1631-1", "initial_release_date": "2021-12-28T02:33:02Z", "revision_history": [ { "date": "2021-12-28T02:33:02Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.3.1.aarch64", "product": { "name": "kafka-source-2.1.0-bp153.2.3.1.aarch64", "product_id": "kafka-source-2.1.0-bp153.2.3.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.3.1.i586", "product": { "name": "kafka-source-2.1.0-bp153.2.3.1.i586", "product_id": "kafka-source-2.1.0-bp153.2.3.1.i586" } } ], "category": "architecture", "name": "i586" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.3.1.ppc64le", "product": { "name": "kafka-source-2.1.0-bp153.2.3.1.ppc64le", "product_id": "kafka-source-2.1.0-bp153.2.3.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.3.1.s390x", "product": { "name": "kafka-source-2.1.0-bp153.2.3.1.s390x", "product_id": "kafka-source-2.1.0-bp153.2.3.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-bp153.2.3.1.x86_64", "product": { "name": "kafka-kit-2.1.0-bp153.2.3.1.x86_64", "product_id": "kafka-kit-2.1.0-bp153.2.3.1.x86_64" } }, { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.3.1.x86_64", "product": { "name": "kafka-source-2.1.0-bp153.2.3.1.x86_64", "product_id": "kafka-source-2.1.0-bp153.2.3.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE Package Hub 15 SP3", "product": { "name": "SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3" } }, { "category": "product_name", "name": "openSUSE Leap 15.3", "product": { "name": "openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.3" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-bp153.2.3.1.x86_64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.3.1.x86_64" }, "product_reference": "kafka-kit-2.1.0-bp153.2.3.1.x86_64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.aarch64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.aarch64" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.aarch64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.i586 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.i586" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.i586", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.ppc64le as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.ppc64le" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.ppc64le", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.s390x as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.s390x" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.s390x", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.x86_64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.x86_64" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.x86_64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-bp153.2.3.1.x86_64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.3.1.x86_64" }, "product_reference": "kafka-kit-2.1.0-bp153.2.3.1.x86_64", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.aarch64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.aarch64" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.aarch64", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.i586 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.i586" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.i586", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.ppc64le as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.ppc64le" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.ppc64le", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.s390x as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.s390x" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.s390x", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.3.1.x86_64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.x86_64" }, "product_reference": "kafka-source-2.1.0-bp153.2.3.1.x86_64", "relates_to_product_reference": "openSUSE Leap 15.3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.3.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.3.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-12-28T02:33:02Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
opensuse-su-2021:1612-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j12", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j12 fixes the following issues:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2021-1612", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1612-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2021:1612-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHZ7COSTMBF33SO76DMFLY7V62XQUQLS/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2021:1612-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHZ7COSTMBF33SO76DMFLY7V62XQUQLS/" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j12", "tracking": { "current_release_date": "2021-12-24T15:51:57Z", "generator": { "date": "2021-12-24T15:51:57Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2021:1612-1", "initial_release_date": "2021-12-24T15:51:57Z", "revision_history": [ { "date": "2021-12-24T15:51:57Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j12-1.2.17-lp152.3.3.2.noarch", "product": { "name": "log4j12-1.2.17-lp152.3.3.2.noarch", "product_id": "log4j12-1.2.17-lp152.3.3.2.noarch" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "product": { "name": "log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "product_id": "log4j12-javadoc-1.2.17-lp152.3.3.2.noarch" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-lp152.3.3.2.noarch", "product": { "name": "log4j12-manual-1.2.17-lp152.3.3.2.noarch", "product_id": "log4j12-manual-1.2.17-lp152.3.3.2.noarch" } }, { "category": "product_version", "name": "log4j12-mini-1.2.17-lp152.3.3.2.noarch", "product": { "name": "log4j12-mini-1.2.17-lp152.3.3.2.noarch", "product_id": "log4j12-mini-1.2.17-lp152.3.3.2.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "openSUSE Leap 15.2", "product": { "name": "openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.2" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-lp152.3.3.2.noarch as component of openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2:log4j12-1.2.17-lp152.3.3.2.noarch" }, "product_reference": "log4j12-1.2.17-lp152.3.3.2.noarch", "relates_to_product_reference": "openSUSE Leap 15.2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-lp152.3.3.2.noarch as component of openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2:log4j12-javadoc-1.2.17-lp152.3.3.2.noarch" }, "product_reference": "log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "relates_to_product_reference": "openSUSE Leap 15.2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-lp152.3.3.2.noarch as component of openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2:log4j12-manual-1.2.17-lp152.3.3.2.noarch" }, "product_reference": "log4j12-manual-1.2.17-lp152.3.3.2.noarch", "relates_to_product_reference": "openSUSE Leap 15.2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-mini-1.2.17-lp152.3.3.2.noarch as component of openSUSE Leap 15.2", "product_id": "openSUSE Leap 15.2:log4j12-mini-1.2.17-lp152.3.3.2.noarch" }, "product_reference": "log4j12-mini-1.2.17-lp152.3.3.2.noarch", "relates_to_product_reference": "openSUSE Leap 15.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.2:log4j12-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-manual-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-mini-1.2.17-lp152.3.3.2.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.2:log4j12-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-manual-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-mini-1.2.17-lp152.3.3.2.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.2:log4j12-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-javadoc-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-manual-1.2.17-lp152.3.3.2.noarch", "openSUSE Leap 15.2:log4j12-mini-1.2.17-lp152.3.3.2.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-24T15:51:57Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
opensuse-su-2022:0038-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for kafka", "title": "Title of the patch" }, { "category": "description", "text": "\nThis update for kafka, kafka-kit fixes following issues:\n\n\n- Remove JDBCAppender, JMSSink, chainsaw from log4j jars during build to\n prevent bsc#1194842, CVE-2022-23302, bsc#1194843, CVE-2022-23305,\n bsc#1194844, CVE-2022-23307\n\n- Rebuild with kafka-kit change to\n Remove JMSAppender from log4j jars during build to\n prevent bsc#1193662, CVE-2021-4104\n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-2022-38", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0038-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2022:0038-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LX6N6XLYOR6GINGSRITWVKJ743FCLHXK/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2022:0038-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LX6N6XLYOR6GINGSRITWVKJ743FCLHXK/" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE Bug 1194842", "url": "https://bugzilla.suse.com/1194842" }, { "category": "self", "summary": "SUSE Bug 1194843", "url": "https://bugzilla.suse.com/1194843" }, { "category": "self", "summary": "SUSE Bug 1194844", "url": "https://bugzilla.suse.com/1194844" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23302 page", "url": "https://www.suse.com/security/cve/CVE-2022-23302/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23305 page", "url": "https://www.suse.com/security/cve/CVE-2022-23305/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23307 page", "url": "https://www.suse.com/security/cve/CVE-2022-23307/" } ], "title": "Security update for kafka", "tracking": { "current_release_date": "2022-02-16T14:29:17Z", "generator": { "date": "2022-02-16T14:29:17Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2022:0038-1", "initial_release_date": "2022-02-16T14:29:17Z", "revision_history": [ { "date": "2022-02-16T14:29:17Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.6.1.aarch64", "product": { "name": "kafka-source-2.1.0-bp153.2.6.1.aarch64", "product_id": "kafka-source-2.1.0-bp153.2.6.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.6.1.i586", "product": { "name": "kafka-source-2.1.0-bp153.2.6.1.i586", "product_id": "kafka-source-2.1.0-bp153.2.6.1.i586" } } ], "category": "architecture", "name": "i586" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.6.1.ppc64le", "product": { "name": "kafka-source-2.1.0-bp153.2.6.1.ppc64le", "product_id": "kafka-source-2.1.0-bp153.2.6.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.6.1.s390x", "product": { "name": "kafka-source-2.1.0-bp153.2.6.1.s390x", "product_id": "kafka-source-2.1.0-bp153.2.6.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-bp153.2.6.1.x86_64", "product": { "name": "kafka-kit-2.1.0-bp153.2.6.1.x86_64", "product_id": "kafka-kit-2.1.0-bp153.2.6.1.x86_64" } }, { "category": "product_version", "name": "kafka-source-2.1.0-bp153.2.6.1.x86_64", "product": { "name": "kafka-source-2.1.0-bp153.2.6.1.x86_64", "product_id": "kafka-source-2.1.0-bp153.2.6.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE Package Hub 15 SP3", "product": { "name": "SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3" } }, { "category": "product_name", "name": "openSUSE Leap 15.3", "product": { "name": "openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.3" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-bp153.2.6.1.x86_64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64" }, "product_reference": "kafka-kit-2.1.0-bp153.2.6.1.x86_64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.aarch64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.aarch64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.i586 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.i586", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.ppc64le as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.ppc64le", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.s390x as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.s390x", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.x86_64 as component of SUSE Package Hub 15 SP3", "product_id": "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.x86_64", "relates_to_product_reference": "SUSE Package Hub 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-bp153.2.6.1.x86_64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64" }, "product_reference": "kafka-kit-2.1.0-bp153.2.6.1.x86_64", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.aarch64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.aarch64", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.i586 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.i586", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.ppc64le as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.ppc64le", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.s390x as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.s390x", "relates_to_product_reference": "openSUSE Leap 15.3" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-source-2.1.0-bp153.2.6.1.x86_64 as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" }, "product_reference": "kafka-source-2.1.0-bp153.2.6.1.x86_64", "relates_to_product_reference": "openSUSE Leap 15.3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2022-02-16T14:29:17Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2022-23302", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23302" } ], "notes": [ { "category": "general", "text": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23302", "url": "https://www.suse.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2022-23302", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2022-02-16T14:29:17Z", "details": "moderate" } ], "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23305" } ], "notes": [ { "category": "general", "text": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23305", "url": "https://www.suse.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "SUSE Bug 1194843 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1194843" }, { "category": "external", "summary": "SUSE Bug 1196392 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1196392" }, { "category": "external", "summary": "SUSE Bug 1225673 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1225673" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2022-02-16T14:29:17Z", "details": "important" } ], "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23307" } ], "notes": [ { "category": "general", "text": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23307", "url": "https://www.suse.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "SUSE Bug 1194844 for CVE-2022-23307", "url": "https://bugzilla.suse.com/1194844" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Package Hub 15 SP3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.i586", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.s390x", "SUSE Package Hub 15 SP3:kafka-source-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-kit-2.1.0-bp153.2.6.1.x86_64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.aarch64", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.i586", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.ppc64le", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.s390x", "openSUSE Leap 15.3:kafka-source-2.1.0-bp153.2.6.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2022-02-16T14:29:17Z", "details": "important" } ], "title": "CVE-2022-23307" } ] }
opensuse-su-2021:4111-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j fixes the following issue:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-SLE-15.3-2021-4111", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_4111-1.json" }, { "category": "self", "summary": "URL for openSUSE-SU-2021:4111-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RTBP7J2BY2P4Y4VVPTAERSBRBHRHKIDZ/" }, { "category": "self", "summary": "E-Mail link for openSUSE-SU-2021:4111-1", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RTBP7J2BY2P4Y4VVPTAERSBRBHRHKIDZ/" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j", "tracking": { "current_release_date": "2021-12-17T11:18:53Z", "generator": { "date": "2021-12-17T11:18:53Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2021:4111-1", "initial_release_date": "2021-12-17T11:18:53Z", "revision_history": [ { "date": "2021-12-17T11:18:53Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j-manual-1.2.17-5.6.1.noarch", "product": { "name": "log4j-manual-1.2.17-5.6.1.noarch", "product_id": "log4j-manual-1.2.17-5.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "openSUSE Leap 15.3", "product": { "name": "openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3", "product_identification_helper": { "cpe": "cpe:/o:opensuse:leap:15.3" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of openSUSE Leap 15.3", "product_id": "openSUSE Leap 15.3:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "openSUSE Leap 15.3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Leap 15.3:log4j-manual-1.2.17-5.6.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Leap 15.3:log4j-manual-1.2.17-5.6.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Leap 15.3:log4j-manual-1.2.17-5.6.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T11:18:53Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
opensuse-su-2024:11682-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "chainsaw-1.2.17-5.1 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the chainsaw-1.2.17-5.1 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-11682", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11682-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "chainsaw-1.2.17-5.1 on GA media", "tracking": { "current_release_date": "2024-06-15T00:00:00Z", "generator": { "date": "2024-06-15T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:11682-1", "initial_release_date": "2024-06-15T00:00:00Z", "revision_history": [ { "date": "2024-06-15T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "chainsaw-1.2.17-5.1.aarch64", "product": { "name": "chainsaw-1.2.17-5.1.aarch64", "product_id": "chainsaw-1.2.17-5.1.aarch64" } }, { "category": "product_version", "name": "log4j12-1.2.17-5.1.aarch64", "product": { "name": "log4j12-1.2.17-5.1.aarch64", "product_id": "log4j12-1.2.17-5.1.aarch64" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-5.1.aarch64", "product": { "name": "log4j12-javadoc-1.2.17-5.1.aarch64", "product_id": "log4j12-javadoc-1.2.17-5.1.aarch64" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-5.1.aarch64", "product": { "name": "log4j12-manual-1.2.17-5.1.aarch64", "product_id": "log4j12-manual-1.2.17-5.1.aarch64" } }, { "category": "product_version", "name": "logfactor5-1.2.17-5.1.aarch64", "product": { "name": "logfactor5-1.2.17-5.1.aarch64", "product_id": "logfactor5-1.2.17-5.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "chainsaw-1.2.17-5.1.ppc64le", "product": { "name": "chainsaw-1.2.17-5.1.ppc64le", "product_id": "chainsaw-1.2.17-5.1.ppc64le" } }, { "category": "product_version", "name": "log4j12-1.2.17-5.1.ppc64le", "product": { "name": "log4j12-1.2.17-5.1.ppc64le", "product_id": "log4j12-1.2.17-5.1.ppc64le" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-5.1.ppc64le", "product": { "name": "log4j12-javadoc-1.2.17-5.1.ppc64le", "product_id": "log4j12-javadoc-1.2.17-5.1.ppc64le" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-5.1.ppc64le", "product": { "name": "log4j12-manual-1.2.17-5.1.ppc64le", "product_id": "log4j12-manual-1.2.17-5.1.ppc64le" } }, { "category": "product_version", "name": "logfactor5-1.2.17-5.1.ppc64le", "product": { "name": "logfactor5-1.2.17-5.1.ppc64le", "product_id": "logfactor5-1.2.17-5.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "chainsaw-1.2.17-5.1.s390x", "product": { "name": "chainsaw-1.2.17-5.1.s390x", "product_id": "chainsaw-1.2.17-5.1.s390x" } }, { "category": "product_version", "name": "log4j12-1.2.17-5.1.s390x", "product": { "name": "log4j12-1.2.17-5.1.s390x", "product_id": "log4j12-1.2.17-5.1.s390x" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-5.1.s390x", "product": { "name": "log4j12-javadoc-1.2.17-5.1.s390x", "product_id": "log4j12-javadoc-1.2.17-5.1.s390x" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-5.1.s390x", "product": { "name": "log4j12-manual-1.2.17-5.1.s390x", "product_id": "log4j12-manual-1.2.17-5.1.s390x" } }, { "category": "product_version", "name": "logfactor5-1.2.17-5.1.s390x", "product": { "name": "logfactor5-1.2.17-5.1.s390x", "product_id": "logfactor5-1.2.17-5.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "chainsaw-1.2.17-5.1.x86_64", "product": { "name": "chainsaw-1.2.17-5.1.x86_64", "product_id": "chainsaw-1.2.17-5.1.x86_64" } }, { "category": "product_version", "name": "log4j12-1.2.17-5.1.x86_64", "product": { "name": "log4j12-1.2.17-5.1.x86_64", "product_id": "log4j12-1.2.17-5.1.x86_64" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-5.1.x86_64", "product": { "name": "log4j12-javadoc-1.2.17-5.1.x86_64", "product_id": "log4j12-javadoc-1.2.17-5.1.x86_64" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-5.1.x86_64", "product": { "name": "log4j12-manual-1.2.17-5.1.x86_64", "product_id": "log4j12-manual-1.2.17-5.1.x86_64" } }, { "category": "product_version", "name": "logfactor5-1.2.17-5.1.x86_64", "product": { "name": "logfactor5-1.2.17-5.1.x86_64", "product_id": "logfactor5-1.2.17-5.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "chainsaw-1.2.17-5.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.aarch64" }, "product_reference": "chainsaw-1.2.17-5.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "chainsaw-1.2.17-5.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.ppc64le" }, "product_reference": "chainsaw-1.2.17-5.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "chainsaw-1.2.17-5.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.s390x" }, "product_reference": "chainsaw-1.2.17-5.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "chainsaw-1.2.17-5.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.x86_64" }, "product_reference": "chainsaw-1.2.17-5.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-5.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-1.2.17-5.1.aarch64" }, "product_reference": "log4j12-1.2.17-5.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-5.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-1.2.17-5.1.ppc64le" }, "product_reference": "log4j12-1.2.17-5.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-5.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-1.2.17-5.1.s390x" }, "product_reference": "log4j12-1.2.17-5.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-5.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-1.2.17-5.1.x86_64" }, "product_reference": "log4j12-1.2.17-5.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-5.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.aarch64" }, "product_reference": "log4j12-javadoc-1.2.17-5.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-5.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.ppc64le" }, "product_reference": "log4j12-javadoc-1.2.17-5.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-5.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.s390x" }, "product_reference": "log4j12-javadoc-1.2.17-5.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-5.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.x86_64" }, "product_reference": "log4j12-javadoc-1.2.17-5.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-5.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.aarch64" }, "product_reference": "log4j12-manual-1.2.17-5.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-5.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.ppc64le" }, "product_reference": "log4j12-manual-1.2.17-5.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-5.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.s390x" }, "product_reference": "log4j12-manual-1.2.17-5.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-5.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.x86_64" }, "product_reference": "log4j12-manual-1.2.17-5.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "logfactor5-1.2.17-5.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.aarch64" }, "product_reference": "logfactor5-1.2.17-5.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "logfactor5-1.2.17-5.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.ppc64le" }, "product_reference": "logfactor5-1.2.17-5.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "logfactor5-1.2.17-5.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.s390x" }, "product_reference": "logfactor5-1.2.17-5.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "logfactor5-1.2.17-5.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.x86_64" }, "product_reference": "logfactor5-1.2.17-5.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.s390x", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.s390x", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.s390x", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.s390x", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.s390x", "openSUSE Tumbleweed:chainsaw-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-javadoc-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.s390x", "openSUSE Tumbleweed:log4j12-manual-1.2.17-5.1.x86_64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.aarch64", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.ppc64le", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.s390x", "openSUSE Tumbleweed:logfactor5-1.2.17-5.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
opensuse-su-2024:11681-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "log4j-2.16.0-2.1 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the log4j-2.16.0-2.1 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-11681", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11681-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-45046 page", "url": "https://www.suse.com/security/cve/CVE-2021-45046/" } ], "title": "log4j-2.16.0-2.1 on GA media", "tracking": { "current_release_date": "2024-06-15T00:00:00Z", "generator": { "date": "2024-06-15T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:11681-1", "initial_release_date": "2024-06-15T00:00:00Z", "revision_history": [ { "date": "2024-06-15T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j-2.16.0-2.1.aarch64", "product": { "name": "log4j-2.16.0-2.1.aarch64", "product_id": "log4j-2.16.0-2.1.aarch64" } }, { "category": "product_version", "name": "log4j-javadoc-2.16.0-2.1.aarch64", "product": { "name": "log4j-javadoc-2.16.0-2.1.aarch64", "product_id": "log4j-javadoc-2.16.0-2.1.aarch64" } }, { "category": "product_version", "name": "log4j-jcl-2.16.0-2.1.aarch64", "product": { "name": "log4j-jcl-2.16.0-2.1.aarch64", "product_id": "log4j-jcl-2.16.0-2.1.aarch64" } }, { "category": "product_version", "name": "log4j-slf4j-2.16.0-2.1.aarch64", "product": { "name": "log4j-slf4j-2.16.0-2.1.aarch64", "product_id": "log4j-slf4j-2.16.0-2.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "log4j-2.16.0-2.1.ppc64le", "product": { "name": "log4j-2.16.0-2.1.ppc64le", "product_id": "log4j-2.16.0-2.1.ppc64le" } }, { "category": "product_version", "name": "log4j-javadoc-2.16.0-2.1.ppc64le", "product": { "name": "log4j-javadoc-2.16.0-2.1.ppc64le", "product_id": "log4j-javadoc-2.16.0-2.1.ppc64le" } }, { "category": "product_version", "name": "log4j-jcl-2.16.0-2.1.ppc64le", "product": { "name": "log4j-jcl-2.16.0-2.1.ppc64le", "product_id": "log4j-jcl-2.16.0-2.1.ppc64le" } }, { "category": "product_version", "name": "log4j-slf4j-2.16.0-2.1.ppc64le", "product": { "name": "log4j-slf4j-2.16.0-2.1.ppc64le", "product_id": "log4j-slf4j-2.16.0-2.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "log4j-2.16.0-2.1.s390x", "product": { "name": "log4j-2.16.0-2.1.s390x", "product_id": "log4j-2.16.0-2.1.s390x" } }, { "category": "product_version", "name": "log4j-javadoc-2.16.0-2.1.s390x", "product": { "name": "log4j-javadoc-2.16.0-2.1.s390x", "product_id": "log4j-javadoc-2.16.0-2.1.s390x" } }, { "category": "product_version", "name": "log4j-jcl-2.16.0-2.1.s390x", "product": { "name": "log4j-jcl-2.16.0-2.1.s390x", "product_id": "log4j-jcl-2.16.0-2.1.s390x" } }, { "category": "product_version", "name": "log4j-slf4j-2.16.0-2.1.s390x", "product": { "name": "log4j-slf4j-2.16.0-2.1.s390x", "product_id": "log4j-slf4j-2.16.0-2.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "log4j-2.16.0-2.1.x86_64", "product": { "name": "log4j-2.16.0-2.1.x86_64", "product_id": "log4j-2.16.0-2.1.x86_64" } }, { "category": "product_version", "name": "log4j-javadoc-2.16.0-2.1.x86_64", "product": { "name": "log4j-javadoc-2.16.0-2.1.x86_64", "product_id": "log4j-javadoc-2.16.0-2.1.x86_64" } }, { "category": "product_version", "name": "log4j-jcl-2.16.0-2.1.x86_64", "product": { "name": "log4j-jcl-2.16.0-2.1.x86_64", "product_id": "log4j-jcl-2.16.0-2.1.x86_64" } }, { "category": "product_version", "name": "log4j-slf4j-2.16.0-2.1.x86_64", "product": { "name": "log4j-slf4j-2.16.0-2.1.x86_64", "product_id": "log4j-slf4j-2.16.0-2.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-2.16.0-2.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64" }, "product_reference": "log4j-2.16.0-2.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-2.16.0-2.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le" }, "product_reference": "log4j-2.16.0-2.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-2.16.0-2.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x" }, "product_reference": "log4j-2.16.0-2.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-2.16.0-2.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64" }, "product_reference": "log4j-2.16.0-2.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-2.16.0-2.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64" }, "product_reference": "log4j-javadoc-2.16.0-2.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-2.16.0-2.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le" }, "product_reference": "log4j-javadoc-2.16.0-2.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-2.16.0-2.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x" }, "product_reference": "log4j-javadoc-2.16.0-2.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-2.16.0-2.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64" }, "product_reference": "log4j-javadoc-2.16.0-2.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jcl-2.16.0-2.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64" }, "product_reference": "log4j-jcl-2.16.0-2.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jcl-2.16.0-2.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le" }, "product_reference": "log4j-jcl-2.16.0-2.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jcl-2.16.0-2.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x" }, "product_reference": "log4j-jcl-2.16.0-2.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jcl-2.16.0-2.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64" }, "product_reference": "log4j-jcl-2.16.0-2.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-slf4j-2.16.0-2.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64" }, "product_reference": "log4j-slf4j-2.16.0-2.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-slf4j-2.16.0-2.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le" }, "product_reference": "log4j-slf4j-2.16.0-2.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-slf4j-2.16.0-2.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x" }, "product_reference": "log4j-slf4j-2.16.0-2.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-slf4j-2.16.0-2.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" }, "product_reference": "log4j-slf4j-2.16.0-2.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2021-45046", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-45046" } ], "notes": [ { "category": "general", "text": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-45046", "url": "https://www.suse.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "SUSE Bug 1193743 for CVE-2021-45046", "url": "https://bugzilla.suse.com/1193743" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:log4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-javadoc-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-jcl-2.16.0-2.1.x86_64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.aarch64", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.ppc64le", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.s390x", "openSUSE Tumbleweed:log4j-slf4j-2.16.0-2.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "important" } ], "title": "CVE-2021-45046" } ] }
opensuse-su-2024:11696-1
Vulnerability from csaf_opensuse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "kafka-kit-2.1.0-2.1 on GA media", "title": "Title of the patch" }, { "category": "description", "text": "These are all security issues fixed in the kafka-kit-2.1.0-2.1 package on the GA media of openSUSE Tumbleweed.", "title": "Description of the patch" }, { "category": "details", "text": "openSUSE-Tumbleweed-2024-11696", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11696-1.json" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "kafka-kit-2.1.0-2.1 on GA media", "tracking": { "current_release_date": "2024-06-15T00:00:00Z", "generator": { "date": "2024-06-15T00:00:00Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "openSUSE-SU-2024:11696-1", "initial_release_date": "2024-06-15T00:00:00Z", "revision_history": [ { "date": "2024-06-15T00:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-2.1.aarch64", "product": { "name": "kafka-kit-2.1.0-2.1.aarch64", "product_id": "kafka-kit-2.1.0-2.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-2.1.ppc64le", "product": { "name": "kafka-kit-2.1.0-2.1.ppc64le", "product_id": "kafka-kit-2.1.0-2.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-2.1.s390x", "product": { "name": "kafka-kit-2.1.0-2.1.s390x", "product_id": "kafka-kit-2.1.0-2.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-kit-2.1.0-2.1.x86_64", "product": { "name": "kafka-kit-2.1.0-2.1.x86_64", "product_id": "kafka-kit-2.1.0-2.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "openSUSE Tumbleweed", "product": { "name": "openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed", "product_identification_helper": { "cpe": "cpe:/o:opensuse:tumbleweed" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-2.1.aarch64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.aarch64" }, "product_reference": "kafka-kit-2.1.0-2.1.aarch64", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-2.1.ppc64le as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.ppc64le" }, "product_reference": "kafka-kit-2.1.0-2.1.ppc64le", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-2.1.s390x as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.s390x" }, "product_reference": "kafka-kit-2.1.0-2.1.s390x", "relates_to_product_reference": "openSUSE Tumbleweed" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-kit-2.1.0-2.1.x86_64 as component of openSUSE Tumbleweed", "product_id": "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.x86_64" }, "product_reference": "kafka-kit-2.1.0-2.1.x86_64", "relates_to_product_reference": "openSUSE Tumbleweed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.aarch64", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.ppc64le", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.s390x", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.aarch64", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.ppc64le", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.s390x", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.aarch64", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.ppc64le", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.s390x", "openSUSE Tumbleweed:kafka-kit-2.1.0-2.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2024-06-15T00:00:00Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2021:14866-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j fixes the following issues:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "sleposp3-log4j-14866,slessp4-log4j-14866", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_14866-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:14866-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-202114866-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:14866-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009915.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j", "tracking": { "current_release_date": "2021-12-17T10:36:12Z", "generator": { "date": "2021-12-17T10:36:12Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:14866-1", "initial_release_date": "2021-12-17T10:36:12Z", "revision_history": [ { "date": "2021-12-17T10:36:12Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j-1.2.15-26.32.17.1.noarch", "product": { "name": "log4j-1.2.15-26.32.17.1.noarch", "product_id": "log4j-1.2.15-26.32.17.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux Enterprise Point of Sale 11 SP3", "product": { "name": "SUSE Linux Enterprise Point of Sale 11 SP3", "product_id": "SUSE Linux Enterprise Point of Sale 11 SP3", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-pos:11:sp3" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 11 SP4-LTSS", "product": { "name": "SUSE Linux Enterprise Server 11 SP4-LTSS", "product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_sles:11:sp4" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-26.32.17.1.noarch as component of SUSE Linux Enterprise Point of Sale 11 SP3", "product_id": "SUSE Linux Enterprise Point of Sale 11 SP3:log4j-1.2.15-26.32.17.1.noarch" }, "product_reference": "log4j-1.2.15-26.32.17.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Point of Sale 11 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-26.32.17.1.noarch as component of SUSE Linux Enterprise Server 11 SP4-LTSS", "product_id": "SUSE Linux Enterprise Server 11 SP4-LTSS:log4j-1.2.15-26.32.17.1.noarch" }, "product_reference": "log4j-1.2.15-26.32.17.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 11 SP4-LTSS" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Linux Enterprise Point of Sale 11 SP3:log4j-1.2.15-26.32.17.1.noarch", "SUSE Linux Enterprise Server 11 SP4-LTSS:log4j-1.2.15-26.32.17.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Linux Enterprise Point of Sale 11 SP3:log4j-1.2.15-26.32.17.1.noarch", "SUSE Linux Enterprise Server 11 SP4-LTSS:log4j-1.2.15-26.32.17.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Linux Enterprise Point of Sale 11 SP3:log4j-1.2.15-26.32.17.1.noarch", "SUSE Linux Enterprise Server 11 SP4-LTSS:log4j-1.2.15-26.32.17.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T10:36:12Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2021:4160-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh", "title": "Title of the patch" }, { "category": "description", "text": "This update for logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh fixes the following issues:\n\nFixed vulnerability related to log4j version 1.2.x:\n\n- CVE-2021-4104: Fixed remote code execution through the JMS API via the ldap JNDI parser (bsc#1193662)\n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2021-4160,SUSE-OpenStack-Cloud-9-2021-4160,SUSE-OpenStack-Cloud-Crowbar-9-2021-4160", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4160-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4160-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214160-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4160-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009934.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh", "tracking": { "current_release_date": "2021-12-22T15:18:54Z", "generator": { "date": "2021-12-22T15:18:54Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4160-1", "initial_release_date": "2021-12-22T15:18:54Z", "revision_history": [ { "date": "2021-12-22T15:18:54Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.6.1.aarch64", "product": { "name": "libzookeeper2-3.4.13-3.6.1.aarch64", "product_id": "libzookeeper2-3.4.13-3.6.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.6.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.13-3.6.1.aarch64", "product_id": "libzookeeper2-devel-3.4.13-3.6.1.aarch64" } }, { "category": "product_version", "name": "logstash-2.4.1-7.3.1.aarch64", "product": { "name": "logstash-2.4.1-7.3.1.aarch64", "product_id": "logstash-2.4.1-7.3.1.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.6.1.aarch64", "product": { "name": "zookeeper-client-3.4.13-3.6.1.aarch64", "product_id": "zookeeper-client-3.4.13-3.6.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "elasticsearch-2.4.2-6.3.1.noarch", "product": { "name": "elasticsearch-2.4.2-6.3.1.noarch", "product_id": "elasticsearch-2.4.2-6.3.1.noarch" } }, { "category": "product_version", "name": "elasticsearch-kit-2.4.2-6.3.1.noarch", "product": { "name": "elasticsearch-kit-2.4.2-6.3.1.noarch", "product_id": "elasticsearch-kit-2.4.2-6.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "product": { "name": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "product_id": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "product": { "name": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "product_id": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.7.1.noarch", "product": { "name": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.7.1.noarch", "product_id": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.7.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-2.1.1-5.3.1.noarch", "product": { "name": "openstack-monasca-thresh-2.1.1-5.3.1.noarch", "product_id": "openstack-monasca-thresh-2.1.1-5.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-kit-2.1.1-4.3.1.noarch", "product": { "name": "openstack-monasca-thresh-kit-2.1.1-4.3.1.noarch", "product_id": "openstack-monasca-thresh-kit-2.1.1-4.3.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "product": { "name": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "product_id": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.27.1.noarch", "product": { "name": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.27.1.noarch", "product_id": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.27.1.noarch", "product": { "name": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.27.1.noarch", "product_id": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-s390x-7.0.1~dev24-3.27.1.noarch", "product": { "name": "venv-openstack-barbican-s390x-7.0.1~dev24-3.27.1.noarch", "product_id": "venv-openstack-barbican-s390x-7.0.1~dev24-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "product": { "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "product_id": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.30.1.noarch", "product": { "name": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.30.1.noarch", "product_id": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.30.1.noarch", "product": { "name": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.30.1.noarch", "product_id": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-s390x-13.0.10~dev23-3.30.1.noarch", "product": { "name": "venv-openstack-cinder-s390x-13.0.10~dev23-3.30.1.noarch", "product_id": "venv-openstack-cinder-s390x-13.0.10~dev23-3.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "product": { "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "product_id": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-aarch64-7.0.2~dev2-3.27.1.noarch", "product": { "name": "venv-openstack-designate-aarch64-7.0.2~dev2-3.27.1.noarch", "product_id": "venv-openstack-designate-aarch64-7.0.2~dev2-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.27.1.noarch", "product": { "name": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.27.1.noarch", "product_id": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-s390x-7.0.2~dev2-3.27.1.noarch", "product": { "name": "venv-openstack-designate-s390x-7.0.2~dev2-3.27.1.noarch", "product_id": "venv-openstack-designate-s390x-7.0.2~dev2-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "product": { "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "product_id": "venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-aarch64-17.0.1~dev30-3.25.1.noarch", "product": { "name": "venv-openstack-glance-aarch64-17.0.1~dev30-3.25.1.noarch", "product_id": "venv-openstack-glance-aarch64-17.0.1~dev30-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.25.1.noarch", "product": { "name": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.25.1.noarch", "product_id": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-s390x-17.0.1~dev30-3.25.1.noarch", "product": { "name": "venv-openstack-glance-s390x-17.0.1~dev30-3.25.1.noarch", "product_id": "venv-openstack-glance-s390x-17.0.1~dev30-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "product": { "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "product_id": "venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-aarch64-11.0.4~dev4-3.27.1.noarch", "product": { "name": "venv-openstack-heat-aarch64-11.0.4~dev4-3.27.1.noarch", "product_id": "venv-openstack-heat-aarch64-11.0.4~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.27.1.noarch", "product": { "name": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.27.1.noarch", "product_id": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-s390x-11.0.4~dev4-3.27.1.noarch", "product": { "name": "venv-openstack-heat-s390x-11.0.4~dev4-3.27.1.noarch", "product_id": "venv-openstack-heat-s390x-11.0.4~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "product": { "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "product_id": "venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.31.1.noarch", "product": { "name": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.31.1.noarch", "product_id": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.31.1.noarch", "product": { "name": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.31.1.noarch", "product_id": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-s390x-14.1.1~dev11-4.31.1.noarch", "product": { "name": "venv-openstack-horizon-s390x-14.1.1~dev11-4.31.1.noarch", "product_id": "venv-openstack-horizon-s390x-14.1.1~dev11-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "product": { "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "product_id": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.25.1.noarch", "product": { "name": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.25.1.noarch", "product_id": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.25.1.noarch", "product": { "name": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.25.1.noarch", "product_id": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-s390x-11.1.5~dev17-4.25.1.noarch", "product": { "name": "venv-openstack-ironic-s390x-11.1.5~dev17-4.25.1.noarch", "product_id": "venv-openstack-ironic-s390x-11.1.5~dev17-4.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "product": { "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "product_id": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.28.1.noarch", "product": { "name": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.28.1.noarch", "product_id": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.28.1.noarch", "product": { "name": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.28.1.noarch", "product_id": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-s390x-14.2.1~dev7-3.28.1.noarch", "product": { "name": "venv-openstack-keystone-s390x-14.2.1~dev7-3.28.1.noarch", "product_id": "venv-openstack-keystone-s390x-14.2.1~dev7-3.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "product": { "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "product_id": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.27.1.noarch", "product": { "name": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.27.1.noarch", "product_id": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.27.1.noarch", "product": { "name": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.27.1.noarch", "product_id": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-s390x-7.2.1~dev1-4.27.1.noarch", "product": { "name": "venv-openstack-magnum-s390x-7.2.1~dev1-4.27.1.noarch", "product_id": "venv-openstack-magnum-s390x-7.2.1~dev1-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "product": { "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "product_id": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-aarch64-7.4.2~dev60-3.33.1.noarch", "product": { "name": "venv-openstack-manila-aarch64-7.4.2~dev60-3.33.1.noarch", "product_id": "venv-openstack-manila-aarch64-7.4.2~dev60-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.33.1.noarch", "product": { "name": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.33.1.noarch", "product_id": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-s390x-7.4.2~dev60-3.33.1.noarch", "product": { "name": "venv-openstack-manila-s390x-7.4.2~dev60-3.33.1.noarch", "product_id": "venv-openstack-manila-s390x-7.4.2~dev60-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "product": { "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "product_id": "venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.27.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.27.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.27.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.27.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.27.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.27.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.7.1~dev10-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.31.1.noarch", "product": { "name": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.31.1.noarch", "product_id": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.31.1.noarch", "product": { "name": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.31.1.noarch", "product_id": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-s390x-13.0.8~dev164-6.31.1.noarch", "product": { "name": "venv-openstack-neutron-s390x-13.0.8~dev164-6.31.1.noarch", "product_id": "venv-openstack-neutron-s390x-13.0.8~dev164-6.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "product": { "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "product_id": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-aarch64-18.3.1~dev91-3.31.1.noarch", "product": { "name": "venv-openstack-nova-aarch64-18.3.1~dev91-3.31.1.noarch", "product_id": "venv-openstack-nova-aarch64-18.3.1~dev91-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.31.1.noarch", "product": { "name": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.31.1.noarch", "product_id": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-s390x-18.3.1~dev91-3.31.1.noarch", "product": { "name": "venv-openstack-nova-s390x-18.3.1~dev91-3.31.1.noarch", "product_id": "venv-openstack-nova-s390x-18.3.1~dev91-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "product": { "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "product_id": "venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.27.1.noarch", "product": { "name": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.27.1.noarch", "product_id": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.27.1.noarch", "product": { "name": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.27.1.noarch", "product_id": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-s390x-3.2.3~dev7-4.27.1.noarch", "product": { "name": "venv-openstack-octavia-s390x-3.2.3~dev7-4.27.1.noarch", "product_id": "venv-openstack-octavia-s390x-3.2.3~dev7-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "product": { "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "product_id": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.27.1.noarch", "product": { "name": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.27.1.noarch", "product_id": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.27.1.noarch", "product": { "name": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.27.1.noarch", "product_id": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-s390x-9.0.2~dev15-3.27.1.noarch", "product": { "name": "venv-openstack-sahara-s390x-9.0.2~dev15-3.27.1.noarch", "product_id": "venv-openstack-sahara-s390x-9.0.2~dev15-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "product": { "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "product_id": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-aarch64-2.19.2~dev48-2.22.1.noarch", "product": { "name": "venv-openstack-swift-aarch64-2.19.2~dev48-2.22.1.noarch", "product_id": "venv-openstack-swift-aarch64-2.19.2~dev48-2.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.22.1.noarch", "product": { "name": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.22.1.noarch", "product_id": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-s390x-2.19.2~dev48-2.22.1.noarch", "product": { "name": "venv-openstack-swift-s390x-2.19.2~dev48-2.22.1.noarch", "product_id": "venv-openstack-swift-s390x-2.19.2~dev48-2.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "product": { "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "product_id": "venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch" } }, { "category": "product_version", "name": "zookeeper-kit-3.4.13-3.3.1.noarch", "product": { "name": "zookeeper-kit-3.4.13-3.3.1.noarch", "product_id": "zookeeper-kit-3.4.13-3.3.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.13-3.6.1.noarch", "product": { "name": "zookeeper-server-3.4.13-3.6.1.noarch", "product_id": "zookeeper-server-3.4.13-3.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.6.1.ppc64le", "product": { "name": "libzookeeper2-3.4.13-3.6.1.ppc64le", "product_id": "libzookeeper2-3.4.13-3.6.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.6.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.13-3.6.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.13-3.6.1.ppc64le" } }, { "category": "product_version", "name": "logstash-2.4.1-7.3.1.ppc64le", "product": { "name": "logstash-2.4.1-7.3.1.ppc64le", "product_id": "logstash-2.4.1-7.3.1.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.6.1.ppc64le", "product": { "name": "zookeeper-client-3.4.13-3.6.1.ppc64le", "product_id": "zookeeper-client-3.4.13-3.6.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.6.1.s390x", "product": { "name": "libzookeeper2-3.4.13-3.6.1.s390x", "product_id": "libzookeeper2-3.4.13-3.6.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.6.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.13-3.6.1.s390x", "product_id": "libzookeeper2-devel-3.4.13-3.6.1.s390x" } }, { "category": "product_version", "name": "logstash-2.4.1-7.3.1.s390x", "product": { "name": "logstash-2.4.1-7.3.1.s390x", "product_id": "logstash-2.4.1-7.3.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.6.1.s390x", "product": { "name": "zookeeper-client-3.4.13-3.6.1.s390x", "product_id": "zookeeper-client-3.4.13-3.6.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-0.10.2.2-3.2.1.x86_64", "product": { "name": "kafka-0.10.2.2-3.2.1.x86_64", "product_id": "kafka-0.10.2.2-3.2.1.x86_64" } }, { "category": "product_version", "name": "kafka-doc-0.10.2.2-3.2.1.x86_64", "product": { "name": "kafka-doc-0.10.2.2-3.2.1.x86_64", "product_id": "kafka-doc-0.10.2.2-3.2.1.x86_64" } }, { "category": "product_version", "name": "kafka-kit-0.10.2.2-3.3.1.x86_64", "product": { "name": "kafka-kit-0.10.2.2-3.3.1.x86_64", "product_id": "kafka-kit-0.10.2.2-3.3.1.x86_64" } }, { "category": "product_version", "name": "kafka-zookeeper-0.10.2.2-3.2.1.x86_64", "product": { "name": "kafka-zookeeper-0.10.2.2-3.2.1.x86_64", "product_id": "kafka-zookeeper-0.10.2.2-3.2.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-3.4.13-3.6.1.x86_64", "product": { "name": "libzookeeper2-3.4.13-3.6.1.x86_64", "product_id": "libzookeeper2-3.4.13-3.6.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.6.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.13-3.6.1.x86_64", "product_id": "libzookeeper2-devel-3.4.13-3.6.1.x86_64" } }, { "category": "product_version", "name": "logstash-2.4.1-7.3.1.x86_64", "product": { "name": "logstash-2.4.1-7.3.1.x86_64", "product_id": "logstash-2.4.1-7.3.1.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.6.1.x86_64", "product": { "name": "zookeeper-client-3.4.13-3.6.1.x86_64", "product_id": "zookeeper-client-3.4.13-3.6.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE OpenStack Cloud 9", "product": { "name": "SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:9" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 9", "product": { "name": "SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-6.3.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.3.1.noarch" }, "product_reference": "elasticsearch-2.4.2-6.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-3.2.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.2.1.x86_64" }, "product_reference": "kafka-0.10.2.2-3.2.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-7.3.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:logstash-2.4.1-7.3.1.x86_64" }, "product_reference": "logstash-2.4.1-7.3.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch" }, "product_reference": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-5.3.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch" }, "product_reference": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.6.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.6.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-6.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.3.1.noarch" }, "product_reference": "elasticsearch-2.4.2-6.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-3.2.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.2.1.x86_64" }, "product_reference": "kafka-0.10.2.2-3.2.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-7.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.3.1.x86_64" }, "product_reference": "logstash-2.4.1-7.3.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch" }, "product_reference": "openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-5.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.6.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.6.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.6.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.30.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.25.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.28.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.27.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.22.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.2.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.3.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-12.2.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.6.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-22T15:18:54Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2022:0126-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for openstack-monasca-agent, spark, spark-kit, zookeeper", "title": "Title of the patch" }, { "category": "description", "text": "This update for openstack-monasca-agent, spark, spark-kit, zookeeper fixes the following issues:\n\n- CVE-2021-4104: Remove JMSAppender from log4j jars (bsc#1193662)\n", "title": "Description of the patch" }, { "category": "details", "text": "HPE-Helion-OpenStack-8-2022-126,SUSE-2022-126,SUSE-OpenStack-Cloud-8-2022-126,SUSE-OpenStack-Cloud-Crowbar-8-2022-126", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_0126-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2022:0126-1", "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20220126-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2022:0126-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010026.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for openstack-monasca-agent, spark, spark-kit, zookeeper", "tracking": { "current_release_date": "2022-01-19T08:23:30Z", "generator": { "date": "2022-01-19T08:23:30Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2022:0126-1", "initial_release_date": "2022-01-19T08:23:30Z", "revision_history": [ { "date": "2022-01-19T08:23:30Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.12.1.aarch64", "product": { "name": "libzookeeper2-3.4.10-3.12.1.aarch64", "product_id": "libzookeeper2-3.4.10-3.12.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.12.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.10-3.12.1.aarch64", "product_id": "libzookeeper2-devel-3.4.10-3.12.1.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.12.1.aarch64", "product": { "name": "zookeeper-client-3.4.10-3.12.1.aarch64", "product_id": "zookeeper-client-3.4.10-3.12.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "product": { "name": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "product_id": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "product": { "name": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "product_id": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch" } }, { "category": "product_version", "name": "spark-1.6.3-8.9.2.noarch", "product": { "name": "spark-1.6.3-8.9.2.noarch", "product_id": "spark-1.6.3-8.9.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.10-3.12.1.noarch", "product": { "name": "zookeeper-server-3.4.10-3.12.1.noarch", "product_id": "zookeeper-server-3.4.10-3.12.1.noarch" } }, { "category": "product_version", "name": "spark-kit-1.6.3-3.3.1.noarch", "product": { "name": "spark-kit-1.6.3-3.3.1.noarch", "product_id": "spark-kit-1.6.3-3.3.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.37.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.37.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.37.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.37.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.37.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.37.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.2.2~dev1-11.37.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.12.1.ppc64le", "product": { "name": "libzookeeper2-3.4.10-3.12.1.ppc64le", "product_id": "libzookeeper2-3.4.10-3.12.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.12.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.10-3.12.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.10-3.12.1.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.12.1.ppc64le", "product": { "name": "zookeeper-client-3.4.10-3.12.1.ppc64le", "product_id": "zookeeper-client-3.4.10-3.12.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.12.1.s390x", "product": { "name": "libzookeeper2-3.4.10-3.12.1.s390x", "product_id": "libzookeeper2-3.4.10-3.12.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.12.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.10-3.12.1.s390x", "product_id": "libzookeeper2-devel-3.4.10-3.12.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.12.1.s390x", "product": { "name": "zookeeper-client-3.4.10-3.12.1.s390x", "product_id": "zookeeper-client-3.4.10-3.12.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.12.1.x86_64", "product": { "name": "libzookeeper2-3.4.10-3.12.1.x86_64", "product_id": "libzookeeper2-3.4.10-3.12.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.12.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.10-3.12.1.x86_64", "product_id": "libzookeeper2-devel-3.4.10-3.12.1.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.12.1.x86_64", "product": { "name": "zookeeper-client-3.4.10-3.12.1.x86_64", "product_id": "zookeeper-client-3.4.10-3.12.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "HPE Helion OpenStack 8", "product": { "name": "HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8", "product_identification_helper": { "cpe": "cpe:/o:suse:hpe-helion-openstack:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 8", "product": { "name": "SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 8", "product": { "name": "SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.9.2.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:spark-1.6.3-8.9.2.noarch" }, "product_reference": "spark-1.6.3-8.9.2.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.12.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.12.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.12.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.9.2.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:spark-1.6.3-8.9.2.noarch" }, "product_reference": "spark-1.6.3-8.9.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.12.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.12.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.9.2.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.9.2.noarch" }, "product_reference": "spark-1.6.3-8.9.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.12.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.9.2.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.12.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.9.2.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.12.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.9.2.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.37.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.24.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.9.2.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.12.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-01-19T08:23:30Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2021:4190-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for logstash", "title": "Title of the patch" }, { "category": "description", "text": "This update for logstash fixes the following issues:\n\nFixed vulnerability related to log4j version 1.2.x\n\n- CVE-2021-4104: Fixed remote code execution through the JMS API via the ldap JNDI parser (bsc#1193662)\n", "title": "Description of the patch" }, { "category": "details", "text": "HPE-Helion-OpenStack-8-2021-4190,SUSE-2021-4190,SUSE-OpenStack-Cloud-8-2021-4190,SUSE-OpenStack-Cloud-Crowbar-8-2021-4190", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4190-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4190-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214190-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4190-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009943.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for logstash", "tracking": { "current_release_date": "2021-12-24T08:36:07Z", "generator": { "date": "2021-12-24T08:36:07Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4190-1", "initial_release_date": "2021-12-24T08:36:07Z", "revision_history": [ { "date": "2021-12-24T08:36:07Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.9.1.aarch64", "product": { "name": "libzookeeper2-3.4.10-3.9.1.aarch64", "product_id": "libzookeeper2-3.4.10-3.9.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.9.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.10-3.9.1.aarch64", "product_id": "libzookeeper2-devel-3.4.10-3.9.1.aarch64" } }, { "category": "product_version", "name": "logstash-2.4.1-5.7.1.aarch64", "product": { "name": "logstash-2.4.1-5.7.1.aarch64", "product_id": "logstash-2.4.1-5.7.1.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.9.1.aarch64", "product": { "name": "zookeeper-client-3.4.10-3.9.1.aarch64", "product_id": "zookeeper-client-3.4.10-3.9.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "elasticsearch-2.4.2-5.3.1.noarch", "product": { "name": "elasticsearch-2.4.2-5.3.1.noarch", "product_id": "elasticsearch-2.4.2-5.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "product": { "name": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "product_id": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "product": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "product_id": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-2.1.1-4.3.1.noarch", "product": { "name": "openstack-monasca-thresh-2.1.1-4.3.1.noarch", "product_id": "openstack-monasca-thresh-2.1.1-4.3.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "product": { "name": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "product_id": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "product": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "product_id": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "product_id": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "product": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "product_id": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "product": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "product_id": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "product": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "product_id": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product_id": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "product": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "product_id": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "product": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "product_id": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "product": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "product_id": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "product": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "product_id": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product_id": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "product": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "product_id": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "product": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "product_id": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "product": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "product_id": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "product": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "product_id": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "product_id": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "product": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "product_id": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product_id": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "product": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "product_id": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.10-3.9.1.noarch", "product": { "name": "zookeeper-server-3.4.10-3.9.1.noarch", "product_id": "zookeeper-server-3.4.10-3.9.1.noarch" } }, { "category": "product_version", "name": "elasticsearch-kit-2.4.2-5.3.1.noarch", "product": { "name": "elasticsearch-kit-2.4.2-5.3.1.noarch", "product_id": "elasticsearch-kit-2.4.2-5.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.3.1.noarch", "product": { "name": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.3.1.noarch", "product_id": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-kit-2.1.1-3.3.1.noarch", "product": { "name": "openstack-monasca-thresh-kit-2.1.1-3.3.1.noarch", "product_id": "openstack-monasca-thresh-kit-2.1.1-3.3.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.34.1.noarch", "product": { "name": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.34.1.noarch", "product_id": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.34.1.noarch", "product": { "name": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.34.1.noarch", "product_id": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-s390x-5.1.1~dev7-12.34.1.noarch", "product": { "name": "venv-openstack-aodh-s390x-5.1.1~dev7-12.34.1.noarch", "product_id": "venv-openstack-aodh-s390x-5.1.1~dev7-12.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.35.1.noarch", "product_id": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.35.1.noarch", "product_id": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-s390x-5.0.2~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-barbican-s390x-5.0.2~dev3-12.35.1.noarch", "product_id": "venv-openstack-barbican-s390x-5.0.2~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.32.1.noarch", "product": { "name": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.32.1.noarch", "product_id": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.32.1.noarch", "product": { "name": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.32.1.noarch", "product_id": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.32.1.noarch", "product": { "name": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.32.1.noarch", "product_id": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.36.1.noarch", "product": { "name": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.36.1.noarch", "product_id": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.36.1.noarch", "product": { "name": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.36.1.noarch", "product_id": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-s390x-11.2.3~dev29-14.36.1.noarch", "product": { "name": "venv-openstack-cinder-s390x-11.2.3~dev29-14.36.1.noarch", "product_id": "venv-openstack-cinder-s390x-11.2.3~dev29-14.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-aarch64-5.0.3~dev7-12.33.1.noarch", "product": { "name": "venv-openstack-designate-aarch64-5.0.3~dev7-12.33.1.noarch", "product_id": "venv-openstack-designate-aarch64-5.0.3~dev7-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.33.1.noarch", "product": { "name": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.33.1.noarch", "product_id": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-s390x-5.0.3~dev7-12.33.1.noarch", "product": { "name": "venv-openstack-designate-s390x-5.0.3~dev7-12.33.1.noarch", "product_id": "venv-openstack-designate-s390x-5.0.3~dev7-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product": { "name": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product_id": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product": { "name": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product_id": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product": { "name": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.30.1.noarch", "product_id": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-aarch64-15.0.3~dev3-12.33.1.noarch", "product": { "name": "venv-openstack-glance-aarch64-15.0.3~dev3-12.33.1.noarch", "product_id": "venv-openstack-glance-aarch64-15.0.3~dev3-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.33.1.noarch", "product": { "name": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.33.1.noarch", "product_id": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-s390x-15.0.3~dev3-12.33.1.noarch", "product": { "name": "venv-openstack-glance-s390x-15.0.3~dev3-12.33.1.noarch", "product_id": "venv-openstack-glance-s390x-15.0.3~dev3-12.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-aarch64-9.0.8~dev22-12.37.1.noarch", "product": { "name": "venv-openstack-heat-aarch64-9.0.8~dev22-12.37.1.noarch", "product_id": "venv-openstack-heat-aarch64-9.0.8~dev22-12.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.37.1.noarch", "product": { "name": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.37.1.noarch", "product_id": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-s390x-9.0.8~dev22-12.37.1.noarch", "product": { "name": "venv-openstack-heat-s390x-9.0.8~dev22-12.37.1.noarch", "product_id": "venv-openstack-heat-s390x-9.0.8~dev22-12.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-s390x-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-s390x-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-s390x-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "product": { "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "product_id": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.35.1.noarch", "product": { "name": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.35.1.noarch", "product_id": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.35.1.noarch", "product": { "name": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.35.1.noarch", "product_id": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-s390x-9.1.8~dev8-12.35.1.noarch", "product": { "name": "venv-openstack-ironic-s390x-9.1.8~dev8-12.35.1.noarch", "product_id": "venv-openstack-ironic-s390x-9.1.8~dev8-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.37.1.noarch", "product": { "name": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.37.1.noarch", "product_id": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.37.1.noarch", "product": { "name": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.37.1.noarch", "product_id": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-s390x-12.0.4~dev11-11.37.1.noarch", "product": { "name": "venv-openstack-keystone-s390x-12.0.4~dev11-11.37.1.noarch", "product_id": "venv-openstack-keystone-s390x-12.0.4~dev11-11.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product": { "name": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product_id": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product": { "name": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product_id": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product": { "name": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "product_id": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-aarch64-5.1.1~dev5-12.39.1.noarch", "product": { "name": "venv-openstack-manila-aarch64-5.1.1~dev5-12.39.1.noarch", "product_id": "venv-openstack-manila-aarch64-5.1.1~dev5-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.39.1.noarch", "product": { "name": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.39.1.noarch", "product_id": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-s390x-5.1.1~dev5-12.39.1.noarch", "product": { "name": "venv-openstack-manila-s390x-5.1.1~dev5-12.39.1.noarch", "product_id": "venv-openstack-manila-s390x-5.1.1~dev5-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.34.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.34.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.34.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.34.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.34.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.34.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.2.2~dev1-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-aarch64-4.0.2~dev2-12.30.1.noarch", "product": { "name": "venv-openstack-murano-aarch64-4.0.2~dev2-12.30.1.noarch", "product_id": "venv-openstack-murano-aarch64-4.0.2~dev2-12.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.30.1.noarch", "product": { "name": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.30.1.noarch", "product_id": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-s390x-4.0.2~dev2-12.30.1.noarch", "product": { "name": "venv-openstack-murano-s390x-4.0.2~dev2-12.30.1.noarch", "product_id": "venv-openstack-murano-s390x-4.0.2~dev2-12.30.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.40.1.noarch", "product": { "name": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.40.1.noarch", "product_id": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.40.1.noarch", "product": { "name": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.40.1.noarch", "product_id": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-s390x-11.0.9~dev69-13.40.1.noarch", "product": { "name": "venv-openstack-neutron-s390x-11.0.9~dev69-13.40.1.noarch", "product_id": "venv-openstack-neutron-s390x-11.0.9~dev69-13.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-aarch64-16.1.9~dev92-11.38.1.noarch", "product": { "name": "venv-openstack-nova-aarch64-16.1.9~dev92-11.38.1.noarch", "product_id": "venv-openstack-nova-aarch64-16.1.9~dev92-11.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.38.1.noarch", "product": { "name": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.38.1.noarch", "product_id": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-s390x-16.1.9~dev92-11.38.1.noarch", "product": { "name": "venv-openstack-nova-s390x-16.1.9~dev92-11.38.1.noarch", "product_id": "venv-openstack-nova-s390x-16.1.9~dev92-11.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.35.1.noarch", "product_id": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.35.1.noarch", "product_id": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-s390x-1.0.6~dev3-12.35.1.noarch", "product": { "name": "venv-openstack-octavia-s390x-1.0.6~dev3-12.35.1.noarch", "product_id": "venv-openstack-octavia-s390x-1.0.6~dev3-12.35.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.34.1.noarch", "product": { "name": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.34.1.noarch", "product_id": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.34.1.noarch", "product": { "name": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.34.1.noarch", "product_id": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-s390x-7.0.5~dev4-11.34.1.noarch", "product": { "name": "venv-openstack-sahara-s390x-7.0.5~dev4-11.34.1.noarch", "product_id": "venv-openstack-sahara-s390x-7.0.5~dev4-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product": { "name": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product_id": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product": { "name": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product_id": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product": { "name": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "product_id": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-aarch64-8.0.2~dev2-11.34.1.noarch", "product": { "name": "venv-openstack-trove-aarch64-8.0.2~dev2-11.34.1.noarch", "product_id": "venv-openstack-trove-aarch64-8.0.2~dev2-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.34.1.noarch", "product": { "name": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.34.1.noarch", "product_id": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-s390x-8.0.2~dev2-11.34.1.noarch", "product": { "name": "venv-openstack-trove-s390x-8.0.2~dev2-11.34.1.noarch", "product_id": "venv-openstack-trove-s390x-8.0.2~dev2-11.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-aarch64-5.0.1-10.16.1.noarch", "product": { "name": "venv-openstack-zaqar-aarch64-5.0.1-10.16.1.noarch", "product_id": "venv-openstack-zaqar-aarch64-5.0.1-10.16.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-ppc64le-5.0.1-10.16.1.noarch", "product": { "name": "venv-openstack-zaqar-ppc64le-5.0.1-10.16.1.noarch", "product_id": "venv-openstack-zaqar-ppc64le-5.0.1-10.16.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-s390x-5.0.1-10.16.1.noarch", "product": { "name": "venv-openstack-zaqar-s390x-5.0.1-10.16.1.noarch", "product_id": "venv-openstack-zaqar-s390x-5.0.1-10.16.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-x86_64-5.0.1-10.16.1.noarch", "product": { "name": "venv-openstack-zaqar-x86_64-5.0.1-10.16.1.noarch", "product_id": "venv-openstack-zaqar-x86_64-5.0.1-10.16.1.noarch" } }, { "category": "product_version", "name": "zookeeper-kit-3.4.10-4.6.1.noarch", "product": { "name": "zookeeper-kit-3.4.10-4.6.1.noarch", "product_id": "zookeeper-kit-3.4.10-4.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.9.1.ppc64le", "product": { "name": "libzookeeper2-3.4.10-3.9.1.ppc64le", "product_id": "libzookeeper2-3.4.10-3.9.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.9.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.10-3.9.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.10-3.9.1.ppc64le" } }, { "category": "product_version", "name": "logstash-2.4.1-5.7.1.ppc64le", "product": { "name": "logstash-2.4.1-5.7.1.ppc64le", "product_id": "logstash-2.4.1-5.7.1.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.9.1.ppc64le", "product": { "name": "zookeeper-client-3.4.10-3.9.1.ppc64le", "product_id": "zookeeper-client-3.4.10-3.9.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.9.1.s390x", "product": { "name": "libzookeeper2-3.4.10-3.9.1.s390x", "product_id": "libzookeeper2-3.4.10-3.9.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.9.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.10-3.9.1.s390x", "product_id": "libzookeeper2-devel-3.4.10-3.9.1.s390x" } }, { "category": "product_version", "name": "logstash-2.4.1-5.7.1.s390x", "product": { "name": "logstash-2.4.1-5.7.1.s390x", "product_id": "logstash-2.4.1-5.7.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.9.1.s390x", "product": { "name": "zookeeper-client-3.4.10-3.9.1.s390x", "product_id": "zookeeper-client-3.4.10-3.9.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-0.10.2.2-5.9.1.x86_64", "product": { "name": "kafka-0.10.2.2-5.9.1.x86_64", "product_id": "kafka-0.10.2.2-5.9.1.x86_64" } }, { "category": "product_version", "name": "logstash-2.4.1-5.7.1.x86_64", "product": { "name": "logstash-2.4.1-5.7.1.x86_64", "product_id": "logstash-2.4.1-5.7.1.x86_64" } }, { "category": "product_version", "name": "kafka-doc-0.10.2.2-5.9.1.x86_64", "product": { "name": "kafka-doc-0.10.2.2-5.9.1.x86_64", "product_id": "kafka-doc-0.10.2.2-5.9.1.x86_64" } }, { "category": "product_version", "name": "kafka-kit-0.10.2.2-5.6.1.x86_64", "product": { "name": "kafka-kit-0.10.2.2-5.6.1.x86_64", "product_id": "kafka-kit-0.10.2.2-5.6.1.x86_64" } }, { "category": "product_version", "name": "kafka-zookeeper-0.10.2.2-5.9.1.x86_64", "product": { "name": "kafka-zookeeper-0.10.2.2-5.9.1.x86_64", "product_id": "kafka-zookeeper-0.10.2.2-5.9.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-3.4.10-3.9.1.x86_64", "product": { "name": "libzookeeper2-3.4.10-3.9.1.x86_64", "product_id": "libzookeeper2-3.4.10-3.9.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.9.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.10-3.9.1.x86_64", "product_id": "libzookeeper2-devel-3.4.10-3.9.1.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.9.1.x86_64", "product": { "name": "zookeeper-client-3.4.10-3.9.1.x86_64", "product_id": "zookeeper-client-3.4.10-3.9.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "HPE Helion OpenStack 8", "product": { "name": "HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8", "product_identification_helper": { "cpe": "cpe:/o:suse:hpe-helion-openstack:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 8", "product": { "name": "SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 8", "product": { "name": "SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.3.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.3.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.3.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.9.1.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:kafka-0.10.2.2-5.9.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.9.1.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.7.1.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:logstash-2.4.1-5.7.1.x86_64" }, "product_reference": "logstash-2.4.1-5.7.1.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.3.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.3.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch" }, "product_reference": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch" }, "product_reference": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch" }, "product_reference": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch" }, "product_reference": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch" }, "product_reference": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch" }, "product_reference": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.9.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.9.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.9.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.3.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.3.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.9.1.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.9.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.9.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.7.1.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:logstash-2.4.1-5.7.1.x86_64" }, "product_reference": "logstash-2.4.1-5.7.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.3.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch" }, "product_reference": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch" }, "product_reference": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch" }, "product_reference": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch" }, "product_reference": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch" }, "product_reference": "venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch" }, "product_reference": "venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.9.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.9.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.3.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.9.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.9.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.9.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.7.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.7.1.x86_64" }, "product_reference": "logstash-2.4.1-5.7.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.9.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.9.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.3.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.9.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.7.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.9.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.3.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.9.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.7.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.9.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.3.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.9.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.7.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.32.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.33.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.37.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.30.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.35.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.34.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.25.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.34.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.9.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.7.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.21.1.noarch", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.9.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-24T08:36:07Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2021:4111-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j fixes the following issue:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2021-4111,SUSE-SLE-Product-HPC-15-2021-4111,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-4111,SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-4111,SUSE-SLE-Product-SLES-15-2021-4111,SUSE-SLE-Product-SLES-15-SP1-BCL-2021-4111,SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-4111,SUSE-SLE-Product-SLES_SAP-15-2021-4111,SUSE-SLE-Product-SLES_SAP-15-SP1-2021-4111,SUSE-Storage-6-2021-4111", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4111-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4111-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214111-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4111-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009917.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j", "tracking": { "current_release_date": "2021-12-17T11:19:17Z", "generator": { "date": "2021-12-17T11:19:17Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4111-1", "initial_release_date": "2021-12-17T11:19:17Z", "revision_history": [ { "date": "2021-12-17T11:19:17Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j-1.2.17-5.6.1.noarch", "product": { "name": "log4j-1.2.17-5.6.1.noarch", "product_id": "log4j-1.2.17-5.6.1.noarch" } }, { "category": "product_version", "name": "log4j-javadoc-1.2.17-5.6.1.noarch", "product": { "name": "log4j-javadoc-1.2.17-5.6.1.noarch", "product_id": "log4j-javadoc-1.2.17-5.6.1.noarch" } }, { "category": "product_version", "name": "log4j-manual-1.2.17-5.6.1.noarch", "product": { "name": "log4j-manual-1.2.17-5.6.1.noarch", "product_id": "log4j-manual-1.2.17-5.6.1.noarch" } }, { "category": "product_version", "name": "log4j-mini-1.2.17-5.6.1.noarch", "product": { "name": "log4j-mini-1.2.17-5.6.1.noarch", "product_id": "log4j-mini-1.2.17-5.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS", "product": { "name": "SUSE Linux Enterprise High Performance Computing 15-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS", "product_identification_helper": { "cpe": "cpe:/o:suse:sle_hpc-espos:15" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise High Performance Computing 15-LTSS", "product": { "name": "SUSE Linux Enterprise High Performance Computing 15-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sle_hpc-ltss:15" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS", "product": { "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS", "product_identification_helper": { "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp1" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS", "product": { "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp1" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 15-LTSS", "product": { "name": "SUSE Linux Enterprise Server 15-LTSS", "product_id": "SUSE Linux Enterprise Server 15-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-ltss:15" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 15 SP1-BCL", "product": { "name": "SUSE Linux Enterprise Server 15 SP1-BCL", "product_id": "SUSE Linux Enterprise Server 15 SP1-BCL", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_bcl:15:sp1" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 15 SP1-LTSS", "product": { "name": "SUSE Linux Enterprise Server 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-ltss:15:sp1" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server for SAP Applications 15", "product": { "name": "SUSE Linux Enterprise Server for SAP Applications 15", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_sap:15" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1", "product": { "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_sap:15:sp1" } } }, { "category": "product_name", "name": "SUSE Enterprise Storage 6", "product": { "name": "SUSE Enterprise Storage 6", "product_id": "SUSE Enterprise Storage 6", "product_identification_helper": { "cpe": "cpe:/o:suse:ses:6" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-ESPOS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15-LTSS", "product_id": "SUSE Linux Enterprise Server 15-LTSS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15-LTSS", "product_id": "SUSE Linux Enterprise Server 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP1-BCL", "product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP1-BCL", "product_id": "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-BCL" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server 15 SP1-LTSS", "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1", "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.17-5.6.1.noarch as component of SUSE Enterprise Storage 6", "product_id": "SUSE Enterprise Storage 6:log4j-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Enterprise Storage 6" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.17-5.6.1.noarch as component of SUSE Enterprise Storage 6", "product_id": "SUSE Enterprise Storage 6:log4j-manual-1.2.17-5.6.1.noarch" }, "product_reference": "log4j-manual-1.2.17-5.6.1.noarch", "relates_to_product_reference": "SUSE Enterprise Storage 6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Enterprise Storage 6:log4j-1.2.17-5.6.1.noarch", "SUSE Enterprise Storage 6:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-manual-1.2.17-5.6.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Enterprise Storage 6:log4j-1.2.17-5.6.1.noarch", "SUSE Enterprise Storage 6:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-manual-1.2.17-5.6.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Enterprise Storage 6:log4j-1.2.17-5.6.1.noarch", "SUSE Enterprise Storage 6:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-ESPOS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise High Performance Computing 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-BCL:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15 SP1-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server 15-LTSS:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP1:log4j-manual-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-1.2.17-5.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15:log4j-manual-1.2.17-5.6.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T11:19:17Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2022:0355-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit", "title": "Title of the patch" }, { "category": "description", "text": "This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues:\n\n- CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662).\n- CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842).\n- CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843).\n- CVE-2022-23307: Fixed deserialization flaw in the Chainsaw component of Log4j 1 that could lead to malicious code execution (bsc#1194844).\n", "title": "Description of the patch" }, { "category": "details", "text": "HPE-Helion-OpenStack-8-2022-355,SUSE-2022-355,SUSE-OpenStack-Cloud-8-2022-355,SUSE-OpenStack-Cloud-Crowbar-8-2022-355", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_0355-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2022:0355-1", "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20220355-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2022:0355-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010196.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE Bug 1194842", "url": "https://bugzilla.suse.com/1194842" }, { "category": "self", "summary": "SUSE Bug 1194843", "url": "https://bugzilla.suse.com/1194843" }, { "category": "self", "summary": "SUSE Bug 1194844", "url": "https://bugzilla.suse.com/1194844" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23302 page", "url": "https://www.suse.com/security/cve/CVE-2022-23302/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23305 page", "url": "https://www.suse.com/security/cve/CVE-2022-23305/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23307 page", "url": "https://www.suse.com/security/cve/CVE-2022-23307/" } ], "title": "Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit", "tracking": { "current_release_date": "2022-02-09T11:07:10Z", "generator": { "date": "2022-02-09T11:07:10Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2022:0355-1", "initial_release_date": "2022-02-09T11:07:10Z", "revision_history": [ { "date": "2022-02-09T11:07:10Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.15.1.aarch64", "product": { "name": "libzookeeper2-3.4.10-3.15.1.aarch64", "product_id": "libzookeeper2-3.4.10-3.15.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.15.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.10-3.15.1.aarch64", "product_id": "libzookeeper2-devel-3.4.10-3.15.1.aarch64" } }, { "category": "product_version", "name": "logstash-2.4.1-5.10.1.aarch64", "product": { "name": "logstash-2.4.1-5.10.1.aarch64", "product_id": "logstash-2.4.1-5.10.1.aarch64" } }, { "category": "product_version", "name": "storm-1.2.3-3.11.2.aarch64", "product": { "name": "storm-1.2.3-3.11.2.aarch64", "product_id": "storm-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.11.2.aarch64", "product": { "name": "storm-doc-1.2.3-3.11.2.aarch64", "product_id": "storm-doc-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.11.2.aarch64", "product": { "name": "storm-logviewer-1.2.3-3.11.2.aarch64", "product_id": "storm-logviewer-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.11.2.aarch64", "product": { "name": "storm-nimbus-1.2.3-3.11.2.aarch64", "product_id": "storm-nimbus-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.11.2.aarch64", "product": { "name": "storm-pacemaker-1.2.3-3.11.2.aarch64", "product_id": "storm-pacemaker-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.11.2.aarch64", "product": { "name": "storm-supervisor-1.2.3-3.11.2.aarch64", "product_id": "storm-supervisor-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.11.2.aarch64", "product": { "name": "storm-ui-1.2.3-3.11.2.aarch64", "product_id": "storm-ui-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.11.2.aarch64", "product": { "name": "storm-zookeeper-1.2.3-3.11.2.aarch64", "product_id": "storm-zookeeper-1.2.3-3.11.2.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.15.1.aarch64", "product": { "name": "zookeeper-client-3.4.10-3.15.1.aarch64", "product_id": "zookeeper-client-3.4.10-3.15.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "elasticsearch-2.4.2-5.6.1.noarch", "product": { "name": "elasticsearch-2.4.2-5.6.1.noarch", "product_id": "elasticsearch-2.4.2-5.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "product": { "name": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "product_id": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "product": { "name": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "product_id": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "product": { "name": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "product_id": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "product": { "name": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "product_id": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "product": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "product_id": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-2.1.1-4.6.1.noarch", "product": { "name": "openstack-monasca-thresh-2.1.1-4.6.1.noarch", "product_id": "openstack-monasca-thresh-2.1.1-4.6.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "product": { "name": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "product_id": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch" } }, { "category": "product_version", "name": "spark-1.6.3-8.12.1.noarch", "product": { "name": "spark-1.6.3-8.12.1.noarch", "product_id": "spark-1.6.3-8.12.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "product": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "product_id": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "product_id": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "product": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "product_id": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "product": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "product_id": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "product": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "product_id": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product_id": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "product": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "product_id": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "product": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "product_id": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "product": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "product_id": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "product": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "product_id": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product_id": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "product": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "product_id": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "product": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "product_id": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "product": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "product_id": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "product": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "product_id": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "product_id": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "product": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "product_id": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product_id": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "product": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "product_id": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.10-3.15.1.noarch", "product": { "name": "zookeeper-server-3.4.10-3.15.1.noarch", "product_id": "zookeeper-server-3.4.10-3.15.1.noarch" } }, { "category": "product_version", "name": "elasticsearch-kit-2.4.2-5.6.1.noarch", "product": { "name": "elasticsearch-kit-2.4.2-5.6.1.noarch", "product_id": "elasticsearch-kit-2.4.2-5.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.6.1.noarch", "product": { "name": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.6.1.noarch", "product_id": "openstack-monasca-persister-java-kit-1.7.1~a0~dev2-3.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-kit-2.1.1-3.6.1.noarch", "product": { "name": "openstack-monasca-thresh-kit-2.1.1-3.6.1.noarch", "product_id": "openstack-monasca-thresh-kit-2.1.1-3.6.1.noarch" } }, { "category": "product_version", "name": "spark-kit-1.6.3-3.6.1.noarch", "product": { "name": "spark-kit-1.6.3-3.6.1.noarch", "product_id": "spark-kit-1.6.3-3.6.1.noarch" } }, { "category": "product_version", "name": "storm-kit-1.2.3-3.13.1.noarch", "product": { "name": "storm-kit-1.2.3-3.13.1.noarch", "product_id": "storm-kit-1.2.3-3.13.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.40.1.noarch", "product": { "name": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.40.1.noarch", "product_id": "venv-openstack-aodh-aarch64-5.1.1~dev7-12.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.40.1.noarch", "product": { "name": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.40.1.noarch", "product_id": "venv-openstack-aodh-ppc64le-5.1.1~dev7-12.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-aodh-s390x-5.1.1~dev7-12.40.1.noarch", "product": { "name": "venv-openstack-aodh-s390x-5.1.1~dev7-12.40.1.noarch", "product_id": "venv-openstack-aodh-s390x-5.1.1~dev7-12.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.41.1.noarch", "product_id": "venv-openstack-barbican-aarch64-5.0.2~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.41.1.noarch", "product_id": "venv-openstack-barbican-ppc64le-5.0.2~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-s390x-5.0.2~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-barbican-s390x-5.0.2~dev3-12.41.1.noarch", "product_id": "venv-openstack-barbican-s390x-5.0.2~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.38.1.noarch", "product": { "name": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.38.1.noarch", "product_id": "venv-openstack-ceilometer-aarch64-9.0.8~dev7-12.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.38.1.noarch", "product": { "name": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.38.1.noarch", "product_id": "venv-openstack-ceilometer-ppc64le-9.0.8~dev7-12.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.38.1.noarch", "product": { "name": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.38.1.noarch", "product_id": "venv-openstack-ceilometer-s390x-9.0.8~dev7-12.38.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.42.1.noarch", "product": { "name": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.42.1.noarch", "product_id": "venv-openstack-cinder-aarch64-11.2.3~dev29-14.42.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.42.1.noarch", "product": { "name": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.42.1.noarch", "product_id": "venv-openstack-cinder-ppc64le-11.2.3~dev29-14.42.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-s390x-11.2.3~dev29-14.42.1.noarch", "product": { "name": "venv-openstack-cinder-s390x-11.2.3~dev29-14.42.1.noarch", "product_id": "venv-openstack-cinder-s390x-11.2.3~dev29-14.42.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-aarch64-5.0.3~dev7-12.39.1.noarch", "product": { "name": "venv-openstack-designate-aarch64-5.0.3~dev7-12.39.1.noarch", "product_id": "venv-openstack-designate-aarch64-5.0.3~dev7-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.39.1.noarch", "product": { "name": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.39.1.noarch", "product_id": "venv-openstack-designate-ppc64le-5.0.3~dev7-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-s390x-5.0.3~dev7-12.39.1.noarch", "product": { "name": "venv-openstack-designate-s390x-5.0.3~dev7-12.39.1.noarch", "product_id": "venv-openstack-designate-s390x-5.0.3~dev7-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product": { "name": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product_id": "venv-openstack-freezer-aarch64-5.0.0.0~xrc2~dev2-10.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product": { "name": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product_id": "venv-openstack-freezer-ppc64le-5.0.0.0~xrc2~dev2-10.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product": { "name": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.36.1.noarch", "product_id": "venv-openstack-freezer-s390x-5.0.0.0~xrc2~dev2-10.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-aarch64-15.0.3~dev3-12.39.1.noarch", "product": { "name": "venv-openstack-glance-aarch64-15.0.3~dev3-12.39.1.noarch", "product_id": "venv-openstack-glance-aarch64-15.0.3~dev3-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.39.1.noarch", "product": { "name": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.39.1.noarch", "product_id": "venv-openstack-glance-ppc64le-15.0.3~dev3-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-s390x-15.0.3~dev3-12.39.1.noarch", "product": { "name": "venv-openstack-glance-s390x-15.0.3~dev3-12.39.1.noarch", "product_id": "venv-openstack-glance-s390x-15.0.3~dev3-12.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-aarch64-9.0.8~dev22-12.43.1.noarch", "product": { "name": "venv-openstack-heat-aarch64-9.0.8~dev22-12.43.1.noarch", "product_id": "venv-openstack-heat-aarch64-9.0.8~dev22-12.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.43.1.noarch", "product": { "name": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.43.1.noarch", "product_id": "venv-openstack-heat-ppc64le-9.0.8~dev22-12.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-s390x-9.0.8~dev22-12.43.1.noarch", "product": { "name": "venv-openstack-heat-s390x-9.0.8~dev22-12.43.1.noarch", "product_id": "venv-openstack-heat-s390x-9.0.8~dev22-12.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-aarch64-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-hpe-aarch64-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-hpe-ppc64le-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-hpe-s390x-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-ppc64le-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-s390x-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-s390x-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-s390x-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "product": { "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "product_id": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.41.1.noarch", "product": { "name": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.41.1.noarch", "product_id": "venv-openstack-ironic-aarch64-9.1.8~dev8-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.41.1.noarch", "product": { "name": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.41.1.noarch", "product_id": "venv-openstack-ironic-ppc64le-9.1.8~dev8-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-s390x-9.1.8~dev8-12.41.1.noarch", "product": { "name": "venv-openstack-ironic-s390x-9.1.8~dev8-12.41.1.noarch", "product_id": "venv-openstack-ironic-s390x-9.1.8~dev8-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.43.1.noarch", "product": { "name": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.43.1.noarch", "product_id": "venv-openstack-keystone-aarch64-12.0.4~dev11-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.43.1.noarch", "product": { "name": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.43.1.noarch", "product_id": "venv-openstack-keystone-ppc64le-12.0.4~dev11-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-s390x-12.0.4~dev11-11.43.1.noarch", "product": { "name": "venv-openstack-keystone-s390x-12.0.4~dev11-11.43.1.noarch", "product_id": "venv-openstack-keystone-s390x-12.0.4~dev11-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product": { "name": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product_id": "venv-openstack-magnum-aarch64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product": { "name": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product_id": "venv-openstack-magnum-ppc64le-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product": { "name": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "product_id": "venv-openstack-magnum-s390x-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-aarch64-5.1.1~dev5-12.45.1.noarch", "product": { "name": "venv-openstack-manila-aarch64-5.1.1~dev5-12.45.1.noarch", "product_id": "venv-openstack-manila-aarch64-5.1.1~dev5-12.45.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.45.1.noarch", "product": { "name": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.45.1.noarch", "product_id": "venv-openstack-manila-ppc64le-5.1.1~dev5-12.45.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-s390x-5.1.1~dev5-12.45.1.noarch", "product": { "name": "venv-openstack-manila-s390x-5.1.1~dev5-12.45.1.noarch", "product_id": "venv-openstack-manila-s390x-5.1.1~dev5-12.45.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.43.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.43.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-aarch64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-ppc64le-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-s390x-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.43.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.43.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.43.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.43.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.2.2~dev1-11.43.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-aarch64-4.0.2~dev2-12.36.1.noarch", "product": { "name": "venv-openstack-murano-aarch64-4.0.2~dev2-12.36.1.noarch", "product_id": "venv-openstack-murano-aarch64-4.0.2~dev2-12.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.36.1.noarch", "product": { "name": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.36.1.noarch", "product_id": "venv-openstack-murano-ppc64le-4.0.2~dev2-12.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-murano-s390x-4.0.2~dev2-12.36.1.noarch", "product": { "name": "venv-openstack-murano-s390x-4.0.2~dev2-12.36.1.noarch", "product_id": "venv-openstack-murano-s390x-4.0.2~dev2-12.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.46.1.noarch", "product": { "name": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.46.1.noarch", "product_id": "venv-openstack-neutron-aarch64-11.0.9~dev69-13.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.46.1.noarch", "product": { "name": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.46.1.noarch", "product_id": "venv-openstack-neutron-ppc64le-11.0.9~dev69-13.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-s390x-11.0.9~dev69-13.46.1.noarch", "product": { "name": "venv-openstack-neutron-s390x-11.0.9~dev69-13.46.1.noarch", "product_id": "venv-openstack-neutron-s390x-11.0.9~dev69-13.46.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-aarch64-16.1.9~dev92-11.44.1.noarch", "product": { "name": "venv-openstack-nova-aarch64-16.1.9~dev92-11.44.1.noarch", "product_id": "venv-openstack-nova-aarch64-16.1.9~dev92-11.44.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.44.1.noarch", "product": { "name": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.44.1.noarch", "product_id": "venv-openstack-nova-ppc64le-16.1.9~dev92-11.44.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-s390x-16.1.9~dev92-11.44.1.noarch", "product": { "name": "venv-openstack-nova-s390x-16.1.9~dev92-11.44.1.noarch", "product_id": "venv-openstack-nova-s390x-16.1.9~dev92-11.44.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.41.1.noarch", "product_id": "venv-openstack-octavia-aarch64-1.0.6~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.41.1.noarch", "product_id": "venv-openstack-octavia-ppc64le-1.0.6~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-s390x-1.0.6~dev3-12.41.1.noarch", "product": { "name": "venv-openstack-octavia-s390x-1.0.6~dev3-12.41.1.noarch", "product_id": "venv-openstack-octavia-s390x-1.0.6~dev3-12.41.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.40.1.noarch", "product": { "name": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.40.1.noarch", "product_id": "venv-openstack-sahara-aarch64-7.0.5~dev4-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.40.1.noarch", "product": { "name": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.40.1.noarch", "product_id": "venv-openstack-sahara-ppc64le-7.0.5~dev4-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-s390x-7.0.5~dev4-11.40.1.noarch", "product": { "name": "venv-openstack-sahara-s390x-7.0.5~dev4-11.40.1.noarch", "product_id": "venv-openstack-sahara-s390x-7.0.5~dev4-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product": { "name": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product_id": "venv-openstack-swift-aarch64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product": { "name": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product_id": "venv-openstack-swift-ppc64le-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product": { "name": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "product_id": "venv-openstack-swift-s390x-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-aarch64-8.0.2~dev2-11.40.1.noarch", "product": { "name": "venv-openstack-trove-aarch64-8.0.2~dev2-11.40.1.noarch", "product_id": "venv-openstack-trove-aarch64-8.0.2~dev2-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.40.1.noarch", "product": { "name": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.40.1.noarch", "product_id": "venv-openstack-trove-ppc64le-8.0.2~dev2-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-trove-s390x-8.0.2~dev2-11.40.1.noarch", "product": { "name": "venv-openstack-trove-s390x-8.0.2~dev2-11.40.1.noarch", "product_id": "venv-openstack-trove-s390x-8.0.2~dev2-11.40.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-aarch64-5.0.1-10.22.1.noarch", "product": { "name": "venv-openstack-zaqar-aarch64-5.0.1-10.22.1.noarch", "product_id": "venv-openstack-zaqar-aarch64-5.0.1-10.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-ppc64le-5.0.1-10.22.1.noarch", "product": { "name": "venv-openstack-zaqar-ppc64le-5.0.1-10.22.1.noarch", "product_id": "venv-openstack-zaqar-ppc64le-5.0.1-10.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-s390x-5.0.1-10.22.1.noarch", "product": { "name": "venv-openstack-zaqar-s390x-5.0.1-10.22.1.noarch", "product_id": "venv-openstack-zaqar-s390x-5.0.1-10.22.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-zaqar-x86_64-5.0.1-10.22.1.noarch", "product": { "name": "venv-openstack-zaqar-x86_64-5.0.1-10.22.1.noarch", "product_id": "venv-openstack-zaqar-x86_64-5.0.1-10.22.1.noarch" } }, { "category": "product_version", "name": "zookeeper-kit-3.4.10-4.9.1.noarch", "product": { "name": "zookeeper-kit-3.4.10-4.9.1.noarch", "product_id": "zookeeper-kit-3.4.10-4.9.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.15.1.ppc64le", "product": { "name": "libzookeeper2-3.4.10-3.15.1.ppc64le", "product_id": "libzookeeper2-3.4.10-3.15.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.15.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.10-3.15.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.10-3.15.1.ppc64le" } }, { "category": "product_version", "name": "logstash-2.4.1-5.10.1.ppc64le", "product": { "name": "logstash-2.4.1-5.10.1.ppc64le", "product_id": "logstash-2.4.1-5.10.1.ppc64le" } }, { "category": "product_version", "name": "storm-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-1.2.3-3.11.2.ppc64le", "product_id": "storm-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-doc-1.2.3-3.11.2.ppc64le", "product_id": "storm-doc-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-logviewer-1.2.3-3.11.2.ppc64le", "product_id": "storm-logviewer-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-nimbus-1.2.3-3.11.2.ppc64le", "product_id": "storm-nimbus-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-pacemaker-1.2.3-3.11.2.ppc64le", "product_id": "storm-pacemaker-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-supervisor-1.2.3-3.11.2.ppc64le", "product_id": "storm-supervisor-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-ui-1.2.3-3.11.2.ppc64le", "product_id": "storm-ui-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.11.2.ppc64le", "product": { "name": "storm-zookeeper-1.2.3-3.11.2.ppc64le", "product_id": "storm-zookeeper-1.2.3-3.11.2.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.15.1.ppc64le", "product": { "name": "zookeeper-client-3.4.10-3.15.1.ppc64le", "product_id": "zookeeper-client-3.4.10-3.15.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.10-3.15.1.s390x", "product": { "name": "libzookeeper2-3.4.10-3.15.1.s390x", "product_id": "libzookeeper2-3.4.10-3.15.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.15.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.10-3.15.1.s390x", "product_id": "libzookeeper2-devel-3.4.10-3.15.1.s390x" } }, { "category": "product_version", "name": "logstash-2.4.1-5.10.1.s390x", "product": { "name": "logstash-2.4.1-5.10.1.s390x", "product_id": "logstash-2.4.1-5.10.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.15.1.s390x", "product": { "name": "zookeeper-client-3.4.10-3.15.1.s390x", "product_id": "zookeeper-client-3.4.10-3.15.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-0.10.2.2-5.12.1.x86_64", "product": { "name": "kafka-0.10.2.2-5.12.1.x86_64", "product_id": "kafka-0.10.2.2-5.12.1.x86_64" } }, { "category": "product_version", "name": "logstash-2.4.1-5.10.1.x86_64", "product": { "name": "logstash-2.4.1-5.10.1.x86_64", "product_id": "logstash-2.4.1-5.10.1.x86_64" } }, { "category": "product_version", "name": "storm-1.2.3-3.11.2.x86_64", "product": { "name": "storm-1.2.3-3.11.2.x86_64", "product_id": "storm-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.11.2.x86_64", "product": { "name": "storm-nimbus-1.2.3-3.11.2.x86_64", "product_id": "storm-nimbus-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.11.2.x86_64", "product": { "name": "storm-supervisor-1.2.3-3.11.2.x86_64", "product_id": "storm-supervisor-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "kafka-doc-0.10.2.2-5.12.1.x86_64", "product": { "name": "kafka-doc-0.10.2.2-5.12.1.x86_64", "product_id": "kafka-doc-0.10.2.2-5.12.1.x86_64" } }, { "category": "product_version", "name": "kafka-kit-0.10.2.2-5.9.1.x86_64", "product": { "name": "kafka-kit-0.10.2.2-5.9.1.x86_64", "product_id": "kafka-kit-0.10.2.2-5.9.1.x86_64" } }, { "category": "product_version", "name": "kafka-zookeeper-0.10.2.2-5.12.1.x86_64", "product": { "name": "kafka-zookeeper-0.10.2.2-5.12.1.x86_64", "product_id": "kafka-zookeeper-0.10.2.2-5.12.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-3.4.10-3.15.1.x86_64", "product": { "name": "libzookeeper2-3.4.10-3.15.1.x86_64", "product_id": "libzookeeper2-3.4.10-3.15.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.10-3.15.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.10-3.15.1.x86_64", "product_id": "libzookeeper2-devel-3.4.10-3.15.1.x86_64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.11.2.x86_64", "product": { "name": "storm-doc-1.2.3-3.11.2.x86_64", "product_id": "storm-doc-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.11.2.x86_64", "product": { "name": "storm-logviewer-1.2.3-3.11.2.x86_64", "product_id": "storm-logviewer-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.11.2.x86_64", "product": { "name": "storm-pacemaker-1.2.3-3.11.2.x86_64", "product_id": "storm-pacemaker-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.11.2.x86_64", "product": { "name": "storm-ui-1.2.3-3.11.2.x86_64", "product_id": "storm-ui-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.11.2.x86_64", "product": { "name": "storm-zookeeper-1.2.3-3.11.2.x86_64", "product_id": "storm-zookeeper-1.2.3-3.11.2.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.10-3.15.1.x86_64", "product": { "name": "zookeeper-client-3.4.10-3.15.1.x86_64", "product_id": "zookeeper-client-3.4.10-3.15.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "HPE Helion OpenStack 8", "product": { "name": "HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8", "product_identification_helper": { "cpe": "cpe:/o:suse:hpe-helion-openstack:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 8", "product": { "name": "SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 8", "product": { "name": "SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.6.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.6.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.12.1.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.12.1.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.10.1.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64" }, "product_reference": "logstash-2.4.1-5.10.1.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch" }, "product_reference": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch" }, "product_reference": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.6.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.6.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.12.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch" }, "product_reference": "spark-1.6.3-8.12.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.11.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.11.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.11.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch" }, "product_reference": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch" }, "product_reference": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch" }, "product_reference": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch" }, "product_reference": "venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch" }, "product_reference": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch" }, "product_reference": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.15.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.15.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.6.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.12.1.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.12.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.10.1.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64" }, "product_reference": "logstash-2.4.1-5.10.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch" }, "product_reference": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch" }, "product_reference": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.6.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.12.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch" }, "product_reference": "spark-1.6.3-8.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch" }, "product_reference": "venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch" }, "product_reference": "venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch" }, "product_reference": "venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch" }, "product_reference": "venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch" }, "product_reference": "venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch" }, "product_reference": "venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.15.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-5.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch" }, "product_reference": "elasticsearch-2.4.2-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-5.12.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64" }, "product_reference": "kafka-0.10.2.2-5.12.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-5.10.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64" }, "product_reference": "logstash-2.4.1-5.10.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch" }, "product_reference": "openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch" }, "product_reference": "openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch" }, "product_reference": "openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-4.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-4.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch" }, "product_reference": "python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "spark-1.6.3-8.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch" }, "product_reference": "spark-1.6.3-8.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.11.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.11.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.10-3.15.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" }, "product_reference": "zookeeper-server-3.4.10-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T11:07:10Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2022-23302", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23302" } ], "notes": [ { "category": "general", "text": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23302", "url": "https://www.suse.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2022-23302", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T11:07:10Z", "details": "moderate" } ], "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23305" } ], "notes": [ { "category": "general", "text": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23305", "url": "https://www.suse.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "SUSE Bug 1194843 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1194843" }, { "category": "external", "summary": "SUSE Bug 1196392 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1196392" }, { "category": "external", "summary": "SUSE Bug 1225673 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1225673" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T11:07:10Z", "details": "important" } ], "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23307" } ], "notes": [ { "category": "general", "text": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23307", "url": "https://www.suse.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "SUSE Bug 1194844 for CVE-2022-23307", "url": "https://bugzilla.suse.com/1194844" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:elasticsearch-2.4.2-5.6.1.noarch", "HPE Helion OpenStack 8:kafka-0.10.2.2-5.12.1.x86_64", "HPE Helion OpenStack 8:logstash-2.4.1-5.10.1.x86_64", "HPE Helion OpenStack 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "HPE Helion OpenStack 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "HPE Helion OpenStack 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "HPE Helion OpenStack 8:spark-1.6.3-8.12.1.noarch", "HPE Helion OpenStack 8:storm-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.11.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "HPE Helion OpenStack 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "HPE Helion OpenStack 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "HPE Helion OpenStack 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-horizon-hpe-x86_64-12.0.5~dev6-14.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "HPE Helion OpenStack 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "HPE Helion OpenStack 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "HPE Helion OpenStack 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "HPE Helion OpenStack 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "HPE Helion OpenStack 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "HPE Helion OpenStack 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "HPE Helion OpenStack 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "HPE Helion OpenStack 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-aodh-x86_64-5.1.1~dev7-12.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-barbican-x86_64-5.0.2~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.38.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-cinder-x86_64-11.2.3~dev29-14.42.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-designate-x86_64-5.0.3~dev7-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-glance-x86_64-15.0.3~dev3-12.39.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-heat-x86_64-9.0.8~dev22-12.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-horizon-x86_64-12.0.5~dev6-14.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-ironic-x86_64-9.1.8~dev8-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-keystone-x86_64-12.0.4~dev11-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-manila-x86_64-5.1.1~dev5-12.45.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.43.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-murano-x86_64-4.0.2~dev2-12.36.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-neutron-x86_64-11.0.9~dev69-13.46.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-nova-x86_64-16.1.9~dev92-11.44.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-octavia-x86_64-1.0.6~dev3-12.41.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-sahara-x86_64-7.0.5~dev4-11.40.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-swift-x86_64-2.15.2_2.15.2_2.15.2~dev32-11.31.1.noarch", "SUSE OpenStack Cloud 8:venv-openstack-trove-x86_64-8.0.2~dev2-11.40.1.noarch", "SUSE OpenStack Cloud 8:zookeeper-server-3.4.10-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 8:elasticsearch-2.4.2-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:kafka-0.10.2.2-5.12.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.10.1.x86_64", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-metrics-0.0.1-3.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-persister-0.0.1-5.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-log-transformer-0.0.1-4.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-persister-java-1.7.1~a0~dev2-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-thresh-2.1.1-4.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-monasca-agent-2.2.6~dev4-3.27.1.noarch", "SUSE OpenStack Cloud Crowbar 8:spark-1.6.3-8.12.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.11.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:zookeeper-server-3.4.10-3.15.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T11:07:10Z", "details": "important" } ], "title": "CVE-2022-23307" } ] }
suse-su-2021:4112-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j12", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j12 fixes the following issues:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2021-4112,SUSE-SLE-Module-Basesystem-15-SP2-2021-4112,SUSE-SLE-Module-Basesystem-15-SP3-2021-4112,SUSE-SLE-Module-Development-Tools-15-SP2-2021-4112,SUSE-SLE-Module-Development-Tools-15-SP3-2021-4112", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4112-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4112-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214112-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4112-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009916.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j12", "tracking": { "current_release_date": "2021-12-17T11:19:32Z", "generator": { "date": "2021-12-17T11:19:32Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4112-1", "initial_release_date": "2021-12-17T11:19:32Z", "revision_history": [ { "date": "2021-12-17T11:19:32Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j12-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-1.2.17-4.3.1.noarch", "product_id": "log4j12-1.2.17-4.3.1.noarch" } }, { "category": "product_version", "name": "log4j12-javadoc-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-javadoc-1.2.17-4.3.1.noarch", "product_id": "log4j12-javadoc-1.2.17-4.3.1.noarch" } }, { "category": "product_version", "name": "log4j12-manual-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-manual-1.2.17-4.3.1.noarch", "product_id": "log4j12-manual-1.2.17-4.3.1.noarch" } }, { "category": "product_version", "name": "log4j12-mini-1.2.17-4.3.1.noarch", "product": { "name": "log4j12-mini-1.2.17-4.3.1.noarch", "product_id": "log4j12-mini-1.2.17-4.3.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux Enterprise Module for Basesystem 15 SP2", "product": { "name": "SUSE Linux Enterprise Module for Basesystem 15 SP2", "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP2", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp2" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Module for Basesystem 15 SP3", "product": { "name": "SUSE Linux Enterprise Module for Basesystem 15 SP3", "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp3" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Module for Development Tools 15 SP2", "product": { "name": "SUSE Linux Enterprise Module for Development Tools 15 SP2", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-module-development-tools:15:sp2" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Module for Development Tools 15 SP3", "product": { "name": "SUSE Linux Enterprise Module for Development Tools 15 SP3", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP3", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-module-development-tools:15:sp3" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP2", "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP2:log4j12-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP3", "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP3:log4j12-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP2", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-javadoc-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-javadoc-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP2", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-manual-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-manual-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-javadoc-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP3", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-javadoc-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-javadoc-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j12-manual-1.2.17-4.3.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP3", "product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-manual-1.2.17-4.3.1.noarch" }, "product_reference": "log4j12-manual-1.2.17-4.3.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-manual-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-manual-1.2.17-4.3.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-manual-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-manual-1.2.17-4.3.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:log4j12-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP2:log4j12-manual-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-javadoc-1.2.17-4.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP3:log4j12-manual-1.2.17-4.3.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T11:19:32Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2021:4096-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for storm", "title": "Title of the patch" }, { "category": "description", "text": "This update for storm fixes the following issues:\n\n- Remove JndiLookup from log4j 2.x jars during build to prevent \u0027log4shell\u0027 code injection. (bsc#1193641, bsc#1193611, CVE-2021-44228)\n- Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled (bsc#1193641, bsc#1193662, CVE-2021-4104)\n", "title": "Description of the patch" }, { "category": "details", "text": "HPE-Helion-OpenStack-8-2021-4096,SUSE-2021-4096,SUSE-OpenStack-Cloud-8-2021-4096,SUSE-OpenStack-Cloud-Crowbar-8-2021-4096", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4096-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4096-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214096-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4096-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.html" }, { "category": "self", "summary": "SUSE Bug 1193611", "url": "https://bugzilla.suse.com/1193611" }, { "category": "self", "summary": "SUSE Bug 1193641", "url": "https://bugzilla.suse.com/1193641" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-44228 page", "url": "https://www.suse.com/security/cve/CVE-2021-44228/" } ], "title": "Security update for storm", "tracking": { "current_release_date": "2021-12-15T10:31:48Z", "generator": { "date": "2021-12-15T10:31:48Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4096-1", "initial_release_date": "2021-12-15T10:31:48Z", "revision_history": [ { "date": "2021-12-15T10:31:48Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.8.2.aarch64", "product": { "name": "storm-1.2.3-3.8.2.aarch64", "product_id": "storm-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.2.aarch64", "product": { "name": "storm-doc-1.2.3-3.8.2.aarch64", "product_id": "storm-doc-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.2.aarch64", "product": { "name": "storm-logviewer-1.2.3-3.8.2.aarch64", "product_id": "storm-logviewer-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.2.aarch64", "product": { "name": "storm-nimbus-1.2.3-3.8.2.aarch64", "product_id": "storm-nimbus-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.2.aarch64", "product": { "name": "storm-pacemaker-1.2.3-3.8.2.aarch64", "product_id": "storm-pacemaker-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.2.aarch64", "product": { "name": "storm-supervisor-1.2.3-3.8.2.aarch64", "product_id": "storm-supervisor-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.2.aarch64", "product": { "name": "storm-ui-1.2.3-3.8.2.aarch64", "product_id": "storm-ui-1.2.3-3.8.2.aarch64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.2.aarch64", "product": { "name": "storm-zookeeper-1.2.3-3.8.2.aarch64", "product_id": "storm-zookeeper-1.2.3-3.8.2.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch" } }, { "category": "product_version", "name": "storm-kit-1.2.3-3.10.1.noarch", "product": { "name": "storm-kit-1.2.3-3.10.1.noarch", "product_id": "storm-kit-1.2.3-3.10.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.32.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.32.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.2.2~dev1-11.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.32.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.32.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.2.2~dev1-11.32.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.32.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.2.2~dev1-11.32.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.2.2~dev1-11.32.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-1.2.3-3.8.2.ppc64le", "product_id": "storm-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-doc-1.2.3-3.8.2.ppc64le", "product_id": "storm-doc-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-logviewer-1.2.3-3.8.2.ppc64le", "product_id": "storm-logviewer-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-nimbus-1.2.3-3.8.2.ppc64le", "product_id": "storm-nimbus-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-pacemaker-1.2.3-3.8.2.ppc64le", "product_id": "storm-pacemaker-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-supervisor-1.2.3-3.8.2.ppc64le", "product_id": "storm-supervisor-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-ui-1.2.3-3.8.2.ppc64le", "product_id": "storm-ui-1.2.3-3.8.2.ppc64le" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.2.ppc64le", "product": { "name": "storm-zookeeper-1.2.3-3.8.2.ppc64le", "product_id": "storm-zookeeper-1.2.3-3.8.2.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.8.2.x86_64", "product": { "name": "storm-1.2.3-3.8.2.x86_64", "product_id": "storm-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.2.x86_64", "product": { "name": "storm-nimbus-1.2.3-3.8.2.x86_64", "product_id": "storm-nimbus-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.2.x86_64", "product": { "name": "storm-supervisor-1.2.3-3.8.2.x86_64", "product_id": "storm-supervisor-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.2.x86_64", "product": { "name": "storm-doc-1.2.3-3.8.2.x86_64", "product_id": "storm-doc-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.2.x86_64", "product": { "name": "storm-logviewer-1.2.3-3.8.2.x86_64", "product_id": "storm-logviewer-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.2.x86_64", "product": { "name": "storm-pacemaker-1.2.3-3.8.2.x86_64", "product_id": "storm-pacemaker-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.2.x86_64", "product": { "name": "storm-ui-1.2.3-3.8.2.x86_64", "product_id": "storm-ui-1.2.3-3.8.2.x86_64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.2.x86_64", "product": { "name": "storm-zookeeper-1.2.3-3.8.2.x86_64", "product_id": "storm-zookeeper-1.2.3-3.8.2.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "HPE Helion OpenStack 8", "product": { "name": "HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8", "product_identification_helper": { "cpe": "cpe:/o:suse:hpe-helion-openstack:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 8", "product": { "name": "SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 8", "product": { "name": "SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.8.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.8.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.8.2.x86_64 as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.8.2.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-12-15T10:31:48Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2021-44228", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-44228" } ], "notes": [ { "category": "general", "text": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-44228", "url": "https://www.suse.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "SUSE Bug 1193611 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193611" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193743 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193743" }, { "category": "external", "summary": "SUSE Bug 1193795 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193795" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194123 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1194123" }, { "category": "external", "summary": "SUSE Bug 1202994 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1202994" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:storm-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-nimbus-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:storm-supervisor-1.2.3-3.8.2.x86_64", "HPE Helion OpenStack 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:storm-supervisor-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud 8:venv-openstack-monasca-x86_64-2.2.2~dev1-11.32.1.noarch", "SUSE OpenStack Cloud Crowbar 8:storm-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-nimbus-1.2.3-3.8.2.x86_64", "SUSE OpenStack Cloud Crowbar 8:storm-supervisor-1.2.3-3.8.2.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-12-15T10:31:48Z", "details": "critical" } ], "title": "CVE-2021-44228" } ] }
suse-su-2021:4115-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for log4j", "title": "Title of the patch" }, { "category": "description", "text": "This update for log4j fixes the following issue:\n\n- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against\n the log4jshell vulnerability. [bsc#1193662]\n", "title": "Description of the patch" }, { "category": "details", "text": "HPE-Helion-OpenStack-8-2021-4115,SUSE-2021-4115,SUSE-OpenStack-Cloud-8-2021-4115,SUSE-OpenStack-Cloud-9-2021-4115,SUSE-OpenStack-Cloud-Crowbar-8-2021-4115,SUSE-OpenStack-Cloud-Crowbar-9-2021-4115,SUSE-SLE-SAP-12-SP3-2021-4115,SUSE-SLE-SAP-12-SP4-2021-4115,SUSE-SLE-SDK-12-SP5-2021-4115,SUSE-SLE-SERVER-12-SP2-BCL-2021-4115,SUSE-SLE-SERVER-12-SP3-2021-4115,SUSE-SLE-SERVER-12-SP3-BCL-2021-4115,SUSE-SLE-SERVER-12-SP4-LTSS-2021-4115,SUSE-SLE-SERVER-12-SP5-2021-4115", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4115-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4115-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214115-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4115-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009918.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for log4j", "tracking": { "current_release_date": "2021-12-17T12:38:25Z", "generator": { "date": "2021-12-17T12:38:25Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4115-1", "initial_release_date": "2021-12-17T12:38:25Z", "revision_history": [ { "date": "2021-12-17T12:38:25Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "log4j-1.2.15-126.6.1.noarch", "product": { "name": "log4j-1.2.15-126.6.1.noarch", "product_id": "log4j-1.2.15-126.6.1.noarch" } }, { "category": "product_version", "name": "log4j-javadoc-1.2.15-126.6.1.noarch", "product": { "name": "log4j-javadoc-1.2.15-126.6.1.noarch", "product_id": "log4j-javadoc-1.2.15-126.6.1.noarch" } }, { "category": "product_version", "name": "log4j-manual-1.2.15-126.6.1.noarch", "product": { "name": "log4j-manual-1.2.15-126.6.1.noarch", "product_id": "log4j-manual-1.2.15-126.6.1.noarch" } }, { "category": "product_version", "name": "log4j-mini-1.2.15-126.6.1.noarch", "product": { "name": "log4j-mini-1.2.15-126.6.1.noarch", "product_id": "log4j-mini-1.2.15-126.6.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "HPE Helion OpenStack 8", "product": { "name": "HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8", "product_identification_helper": { "cpe": "cpe:/o:suse:hpe-helion-openstack:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 8", "product": { "name": "SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud 9", "product": { "name": "SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:9" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 8", "product": { "name": "SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 9", "product": { "name": "SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3", "product": { "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP3", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_sap:12:sp3" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4", "product": { "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP4", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_sap:12:sp4" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Software Development Kit 12 SP5", "product": { "name": "SUSE Linux Enterprise Software Development Kit 12 SP5", "product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5", "product_identification_helper": { "cpe": "cpe:/o:suse:sle-sdk:12:sp5" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 12 SP2-BCL", "product": { "name": "SUSE Linux Enterprise Server 12 SP2-BCL", "product_id": "SUSE Linux Enterprise Server 12 SP2-BCL", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-bcl:12:sp2" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 12 SP3-LTSS", "product": { "name": "SUSE Linux Enterprise Server 12 SP3-LTSS", "product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-ltss:12:sp3" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 12 SP3-BCL", "product": { "name": "SUSE Linux Enterprise Server 12 SP3-BCL", "product_id": "SUSE Linux Enterprise Server 12 SP3-BCL", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-bcl:12:sp3" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 12 SP4-LTSS", "product": { "name": "SUSE Linux Enterprise Server 12 SP4-LTSS", "product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS", "product_identification_helper": { "cpe": "cpe:/o:suse:sles-ltss:12:sp4" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server 12 SP5", "product": { "name": "SUSE Linux Enterprise Server 12 SP5", "product_id": "SUSE Linux Enterprise Server 12 SP5", "product_identification_helper": { "cpe": "cpe:/o:suse:sles:12:sp5" } } }, { "category": "product_name", "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5", "product": { "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5", "product_identification_helper": { "cpe": "cpe:/o:suse:sles_sap:12:sp5" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of HPE Helion OpenStack 8", "product_id": "HPE Helion OpenStack 8:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "HPE Helion OpenStack 8" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE OpenStack Cloud 8", "product_id": "SUSE OpenStack Cloud 8:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 8" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", "product_id": "SUSE OpenStack Cloud Crowbar 8:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP3:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP3" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP4:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5", "product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5", "product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-manual-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-manual-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server 12 SP2-BCL", "product_id": "SUSE Linux Enterprise Server 12 SP2-BCL:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP2-BCL" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server 12 SP3-LTSS", "product_id": "SUSE Linux Enterprise Server 12 SP3-LTSS:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server 12 SP3-BCL", "product_id": "SUSE Linux Enterprise Server 12 SP3-BCL:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP3-BCL" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server 12 SP4-LTSS", "product_id": "SUSE Linux Enterprise Server 12 SP4-LTSS:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP4-LTSS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server 12 SP5", "product_id": "SUSE Linux Enterprise Server 12 SP5:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-1.2.15-126.6.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5", "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:log4j-1.2.15-126.6.1.noarch" }, "product_reference": "log4j-1.2.15-126.6.1.noarch", "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "HPE Helion OpenStack 8:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP2-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP4-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP3:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP4:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-manual-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 9:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:log4j-1.2.15-126.6.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "HPE Helion OpenStack 8:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP2-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP4-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP3:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP4:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-manual-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 9:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:log4j-1.2.15-126.6.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "HPE Helion OpenStack 8:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP2-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-BCL:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP3-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP4-LTSS:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP3:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP4:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-1.2.15-126.6.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:log4j-manual-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud 9:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 8:log4j-1.2.15-126.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:log4j-1.2.15-126.6.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2021-12-17T12:38:25Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
suse-su-2022:0354-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, storm, storm-kit, venv-openstack-monasca, zookeeper, zookeeper-kit", "title": "Title of the patch" }, { "category": "description", "text": "This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, storm, storm-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues:\n\n- CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662).\n- CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842).\n- CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843).\n- CVE-2022-23307: Fixed deserialization flaw in the Chainsaw component of Log4j 1 that could lead to malicious code execution (bsc#1194844).\n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2022-354,SUSE-OpenStack-Cloud-9-2022-354,SUSE-OpenStack-Cloud-Crowbar-9-2022-354", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_0354-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2022:0354-1", "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20220354-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2022:0354-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010195.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE Bug 1194842", "url": "https://bugzilla.suse.com/1194842" }, { "category": "self", "summary": "SUSE Bug 1194843", "url": "https://bugzilla.suse.com/1194843" }, { "category": "self", "summary": "SUSE Bug 1194844", "url": "https://bugzilla.suse.com/1194844" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23302 page", "url": "https://www.suse.com/security/cve/CVE-2022-23302/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23305 page", "url": "https://www.suse.com/security/cve/CVE-2022-23305/" }, { "category": "self", "summary": "SUSE CVE CVE-2022-23307 page", "url": "https://www.suse.com/security/cve/CVE-2022-23307/" } ], "title": "Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, storm, storm-kit, venv-openstack-monasca, zookeeper, zookeeper-kit", "tracking": { "current_release_date": "2022-02-09T09:54:06Z", "generator": { "date": "2022-02-09T09:54:06Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2022:0354-1", "initial_release_date": "2022-02-09T09:54:06Z", "revision_history": [ { "date": "2022-02-09T09:54:06Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.12.1.aarch64", "product": { "name": "libzookeeper2-3.4.13-3.12.1.aarch64", "product_id": "libzookeeper2-3.4.13-3.12.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.12.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.13-3.12.1.aarch64", "product_id": "libzookeeper2-devel-3.4.13-3.12.1.aarch64" } }, { "category": "product_version", "name": "logstash-2.4.1-7.6.1.aarch64", "product": { "name": "logstash-2.4.1-7.6.1.aarch64", "product_id": "logstash-2.4.1-7.6.1.aarch64" } }, { "category": "product_version", "name": "storm-1.2.3-3.8.1.aarch64", "product": { "name": "storm-1.2.3-3.8.1.aarch64", "product_id": "storm-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.1.aarch64", "product": { "name": "storm-doc-1.2.3-3.8.1.aarch64", "product_id": "storm-doc-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.1.aarch64", "product": { "name": "storm-logviewer-1.2.3-3.8.1.aarch64", "product_id": "storm-logviewer-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.1.aarch64", "product": { "name": "storm-nimbus-1.2.3-3.8.1.aarch64", "product_id": "storm-nimbus-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.1.aarch64", "product": { "name": "storm-pacemaker-1.2.3-3.8.1.aarch64", "product_id": "storm-pacemaker-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.1.aarch64", "product": { "name": "storm-supervisor-1.2.3-3.8.1.aarch64", "product_id": "storm-supervisor-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.1.aarch64", "product": { "name": "storm-ui-1.2.3-3.8.1.aarch64", "product_id": "storm-ui-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.1.aarch64", "product": { "name": "storm-zookeeper-1.2.3-3.8.1.aarch64", "product_id": "storm-zookeeper-1.2.3-3.8.1.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.12.1.aarch64", "product": { "name": "zookeeper-client-3.4.13-3.12.1.aarch64", "product_id": "zookeeper-client-3.4.13-3.12.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "elasticsearch-2.4.2-6.6.1.noarch", "product": { "name": "elasticsearch-2.4.2-6.6.1.noarch", "product_id": "elasticsearch-2.4.2-6.6.1.noarch" } }, { "category": "product_version", "name": "elasticsearch-kit-2.4.2-6.6.1.noarch", "product": { "name": "elasticsearch-kit-2.4.2-6.6.1.noarch", "product_id": "elasticsearch-kit-2.4.2-6.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "product": { "name": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "product_id": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "product": { "name": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "product_id": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.10.1.noarch", "product": { "name": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.10.1.noarch", "product_id": "openstack-monasca-persister-java-kit-1.12.1.dev4-4.10.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-2.1.1-5.6.1.noarch", "product": { "name": "openstack-monasca-thresh-2.1.1-5.6.1.noarch", "product_id": "openstack-monasca-thresh-2.1.1-5.6.1.noarch" } }, { "category": "product_version", "name": "openstack-monasca-thresh-kit-2.1.1-4.6.1.noarch", "product": { "name": "openstack-monasca-thresh-kit-2.1.1-4.6.1.noarch", "product_id": "openstack-monasca-thresh-kit-2.1.1-4.6.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "product": { "name": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "product_id": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch" } }, { "category": "product_version", "name": "spark-2.2.3-5.9.1.noarch", "product": { "name": "spark-2.2.3-5.9.1.noarch", "product_id": "spark-2.2.3-5.9.1.noarch" } }, { "category": "product_version", "name": "spark-kit-2.2.3-4.6.1.noarch", "product": { "name": "spark-kit-2.2.3-4.6.1.noarch", "product_id": "spark-kit-2.2.3-4.6.1.noarch" } }, { "category": "product_version", "name": "storm-kit-1.2.3-3.9.1.noarch", "product": { "name": "storm-kit-1.2.3-3.9.1.noarch", "product_id": "storm-kit-1.2.3-3.9.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.33.1.noarch", "product": { "name": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.33.1.noarch", "product_id": "venv-openstack-barbican-aarch64-7.0.1~dev24-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.33.1.noarch", "product": { "name": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.33.1.noarch", "product_id": "venv-openstack-barbican-ppc64le-7.0.1~dev24-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-s390x-7.0.1~dev24-3.33.1.noarch", "product": { "name": "venv-openstack-barbican-s390x-7.0.1~dev24-3.33.1.noarch", "product_id": "venv-openstack-barbican-s390x-7.0.1~dev24-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "product": { "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "product_id": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.36.1.noarch", "product": { "name": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.36.1.noarch", "product_id": "venv-openstack-cinder-aarch64-13.0.10~dev23-3.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.36.1.noarch", "product": { "name": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.36.1.noarch", "product_id": "venv-openstack-cinder-ppc64le-13.0.10~dev23-3.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-s390x-13.0.10~dev23-3.36.1.noarch", "product": { "name": "venv-openstack-cinder-s390x-13.0.10~dev23-3.36.1.noarch", "product_id": "venv-openstack-cinder-s390x-13.0.10~dev23-3.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "product": { "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "product_id": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-aarch64-7.0.2~dev2-3.33.1.noarch", "product": { "name": "venv-openstack-designate-aarch64-7.0.2~dev2-3.33.1.noarch", "product_id": "venv-openstack-designate-aarch64-7.0.2~dev2-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.33.1.noarch", "product": { "name": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.33.1.noarch", "product_id": "venv-openstack-designate-ppc64le-7.0.2~dev2-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-s390x-7.0.2~dev2-3.33.1.noarch", "product": { "name": "venv-openstack-designate-s390x-7.0.2~dev2-3.33.1.noarch", "product_id": "venv-openstack-designate-s390x-7.0.2~dev2-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "product": { "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "product_id": "venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-aarch64-17.0.1~dev30-3.31.1.noarch", "product": { "name": "venv-openstack-glance-aarch64-17.0.1~dev30-3.31.1.noarch", "product_id": "venv-openstack-glance-aarch64-17.0.1~dev30-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.31.1.noarch", "product": { "name": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.31.1.noarch", "product_id": "venv-openstack-glance-ppc64le-17.0.1~dev30-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-s390x-17.0.1~dev30-3.31.1.noarch", "product": { "name": "venv-openstack-glance-s390x-17.0.1~dev30-3.31.1.noarch", "product_id": "venv-openstack-glance-s390x-17.0.1~dev30-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "product": { "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "product_id": "venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-aarch64-11.0.4~dev4-3.33.1.noarch", "product": { "name": "venv-openstack-heat-aarch64-11.0.4~dev4-3.33.1.noarch", "product_id": "venv-openstack-heat-aarch64-11.0.4~dev4-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.33.1.noarch", "product": { "name": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.33.1.noarch", "product_id": "venv-openstack-heat-ppc64le-11.0.4~dev4-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-s390x-11.0.4~dev4-3.33.1.noarch", "product": { "name": "venv-openstack-heat-s390x-11.0.4~dev4-3.33.1.noarch", "product_id": "venv-openstack-heat-s390x-11.0.4~dev4-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "product": { "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "product_id": "venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.37.1.noarch", "product": { "name": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.37.1.noarch", "product_id": "venv-openstack-horizon-aarch64-14.1.1~dev11-4.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.37.1.noarch", "product": { "name": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.37.1.noarch", "product_id": "venv-openstack-horizon-ppc64le-14.1.1~dev11-4.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-s390x-14.1.1~dev11-4.37.1.noarch", "product": { "name": "venv-openstack-horizon-s390x-14.1.1~dev11-4.37.1.noarch", "product_id": "venv-openstack-horizon-s390x-14.1.1~dev11-4.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "product": { "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "product_id": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.31.1.noarch", "product": { "name": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.31.1.noarch", "product_id": "venv-openstack-ironic-aarch64-11.1.5~dev17-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.31.1.noarch", "product": { "name": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.31.1.noarch", "product_id": "venv-openstack-ironic-ppc64le-11.1.5~dev17-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-s390x-11.1.5~dev17-4.31.1.noarch", "product": { "name": "venv-openstack-ironic-s390x-11.1.5~dev17-4.31.1.noarch", "product_id": "venv-openstack-ironic-s390x-11.1.5~dev17-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "product": { "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "product_id": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.34.1.noarch", "product": { "name": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.34.1.noarch", "product_id": "venv-openstack-keystone-aarch64-14.2.1~dev7-3.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.34.1.noarch", "product": { "name": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.34.1.noarch", "product_id": "venv-openstack-keystone-ppc64le-14.2.1~dev7-3.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-s390x-14.2.1~dev7-3.34.1.noarch", "product": { "name": "venv-openstack-keystone-s390x-14.2.1~dev7-3.34.1.noarch", "product_id": "venv-openstack-keystone-s390x-14.2.1~dev7-3.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "product": { "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "product_id": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.33.1.noarch", "product": { "name": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.33.1.noarch", "product_id": "venv-openstack-magnum-aarch64-7.2.1~dev1-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.33.1.noarch", "product": { "name": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.33.1.noarch", "product_id": "venv-openstack-magnum-ppc64le-7.2.1~dev1-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-s390x-7.2.1~dev1-4.33.1.noarch", "product": { "name": "venv-openstack-magnum-s390x-7.2.1~dev1-4.33.1.noarch", "product_id": "venv-openstack-magnum-s390x-7.2.1~dev1-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "product": { "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "product_id": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-aarch64-7.4.2~dev60-3.39.1.noarch", "product": { "name": "venv-openstack-manila-aarch64-7.4.2~dev60-3.39.1.noarch", "product_id": "venv-openstack-manila-aarch64-7.4.2~dev60-3.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.39.1.noarch", "product": { "name": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.39.1.noarch", "product_id": "venv-openstack-manila-ppc64le-7.4.2~dev60-3.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-s390x-7.4.2~dev60-3.39.1.noarch", "product": { "name": "venv-openstack-manila-s390x-7.4.2~dev60-3.39.1.noarch", "product_id": "venv-openstack-manila-s390x-7.4.2~dev60-3.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "product": { "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "product_id": "venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.35.2.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.35.2.noarch", "product_id": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.35.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.33.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.33.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-aarch64-1.8.2~dev3-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.33.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.33.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-ppc64le-1.8.2~dev3-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.33.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.33.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-s390x-1.8.2~dev3-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "product": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "product_id": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.35.2.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.35.2.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.35.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.35.2.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.35.2.noarch", "product_id": "venv-openstack-monasca-s390x-2.7.1~dev10-3.35.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "product_id": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.37.1.noarch", "product": { "name": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.37.1.noarch", "product_id": "venv-openstack-neutron-aarch64-13.0.8~dev164-6.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.37.1.noarch", "product": { "name": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.37.1.noarch", "product_id": "venv-openstack-neutron-ppc64le-13.0.8~dev164-6.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-s390x-13.0.8~dev164-6.37.1.noarch", "product": { "name": "venv-openstack-neutron-s390x-13.0.8~dev164-6.37.1.noarch", "product_id": "venv-openstack-neutron-s390x-13.0.8~dev164-6.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "product": { "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "product_id": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-aarch64-18.3.1~dev91-3.37.1.noarch", "product": { "name": "venv-openstack-nova-aarch64-18.3.1~dev91-3.37.1.noarch", "product_id": "venv-openstack-nova-aarch64-18.3.1~dev91-3.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.37.1.noarch", "product": { "name": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.37.1.noarch", "product_id": "venv-openstack-nova-ppc64le-18.3.1~dev91-3.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-s390x-18.3.1~dev91-3.37.1.noarch", "product": { "name": "venv-openstack-nova-s390x-18.3.1~dev91-3.37.1.noarch", "product_id": "venv-openstack-nova-s390x-18.3.1~dev91-3.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "product": { "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "product_id": "venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.33.1.noarch", "product": { "name": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.33.1.noarch", "product_id": "venv-openstack-octavia-aarch64-3.2.3~dev7-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.33.1.noarch", "product": { "name": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.33.1.noarch", "product_id": "venv-openstack-octavia-ppc64le-3.2.3~dev7-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-s390x-3.2.3~dev7-4.33.1.noarch", "product": { "name": "venv-openstack-octavia-s390x-3.2.3~dev7-4.33.1.noarch", "product_id": "venv-openstack-octavia-s390x-3.2.3~dev7-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "product": { "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "product_id": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.33.1.noarch", "product": { "name": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.33.1.noarch", "product_id": "venv-openstack-sahara-aarch64-9.0.2~dev15-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.33.1.noarch", "product": { "name": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.33.1.noarch", "product_id": "venv-openstack-sahara-ppc64le-9.0.2~dev15-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-s390x-9.0.2~dev15-3.33.1.noarch", "product": { "name": "venv-openstack-sahara-s390x-9.0.2~dev15-3.33.1.noarch", "product_id": "venv-openstack-sahara-s390x-9.0.2~dev15-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "product": { "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "product_id": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-aarch64-2.19.2~dev48-2.28.1.noarch", "product": { "name": "venv-openstack-swift-aarch64-2.19.2~dev48-2.28.1.noarch", "product_id": "venv-openstack-swift-aarch64-2.19.2~dev48-2.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.28.1.noarch", "product": { "name": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.28.1.noarch", "product_id": "venv-openstack-swift-ppc64le-2.19.2~dev48-2.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-s390x-2.19.2~dev48-2.28.1.noarch", "product": { "name": "venv-openstack-swift-s390x-2.19.2~dev48-2.28.1.noarch", "product_id": "venv-openstack-swift-s390x-2.19.2~dev48-2.28.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "product": { "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "product_id": "venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch" } }, { "category": "product_version", "name": "zookeeper-kit-3.4.13-3.6.1.noarch", "product": { "name": "zookeeper-kit-3.4.13-3.6.1.noarch", "product_id": "zookeeper-kit-3.4.13-3.6.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.13-3.12.1.noarch", "product": { "name": "zookeeper-server-3.4.13-3.12.1.noarch", "product_id": "zookeeper-server-3.4.13-3.12.1.noarch" } }, { "category": "product_version", "name": "spark-2.2.3-5.9.2.noarch", "product": { "name": "spark-2.2.3-5.9.2.noarch", "product_id": "spark-2.2.3-5.9.2.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.12.1.ppc64le", "product": { "name": "libzookeeper2-3.4.13-3.12.1.ppc64le", "product_id": "libzookeeper2-3.4.13-3.12.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.12.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.13-3.12.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.13-3.12.1.ppc64le" } }, { "category": "product_version", "name": "logstash-2.4.1-7.6.1.ppc64le", "product": { "name": "logstash-2.4.1-7.6.1.ppc64le", "product_id": "logstash-2.4.1-7.6.1.ppc64le" } }, { "category": "product_version", "name": "storm-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-1.2.3-3.8.1.ppc64le", "product_id": "storm-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-doc-1.2.3-3.8.1.ppc64le", "product_id": "storm-doc-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-logviewer-1.2.3-3.8.1.ppc64le", "product_id": "storm-logviewer-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-nimbus-1.2.3-3.8.1.ppc64le", "product_id": "storm-nimbus-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-pacemaker-1.2.3-3.8.1.ppc64le", "product_id": "storm-pacemaker-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-supervisor-1.2.3-3.8.1.ppc64le", "product_id": "storm-supervisor-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-ui-1.2.3-3.8.1.ppc64le", "product_id": "storm-ui-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.1.ppc64le", "product": { "name": "storm-zookeeper-1.2.3-3.8.1.ppc64le", "product_id": "storm-zookeeper-1.2.3-3.8.1.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.12.1.ppc64le", "product": { "name": "zookeeper-client-3.4.13-3.12.1.ppc64le", "product_id": "zookeeper-client-3.4.13-3.12.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.12.1.s390x", "product": { "name": "libzookeeper2-3.4.13-3.12.1.s390x", "product_id": "libzookeeper2-3.4.13-3.12.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.12.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.13-3.12.1.s390x", "product_id": "libzookeeper2-devel-3.4.13-3.12.1.s390x" } }, { "category": "product_version", "name": "logstash-2.4.1-7.6.1.s390x", "product": { "name": "logstash-2.4.1-7.6.1.s390x", "product_id": "logstash-2.4.1-7.6.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.12.1.s390x", "product": { "name": "zookeeper-client-3.4.13-3.12.1.s390x", "product_id": "zookeeper-client-3.4.13-3.12.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "kafka-0.10.2.2-3.5.1.x86_64", "product": { "name": "kafka-0.10.2.2-3.5.1.x86_64", "product_id": "kafka-0.10.2.2-3.5.1.x86_64" } }, { "category": "product_version", "name": "kafka-doc-0.10.2.2-3.5.1.x86_64", "product": { "name": "kafka-doc-0.10.2.2-3.5.1.x86_64", "product_id": "kafka-doc-0.10.2.2-3.5.1.x86_64" } }, { "category": "product_version", "name": "kafka-kit-0.10.2.2-3.6.1.x86_64", "product": { "name": "kafka-kit-0.10.2.2-3.6.1.x86_64", "product_id": "kafka-kit-0.10.2.2-3.6.1.x86_64" } }, { "category": "product_version", "name": "kafka-zookeeper-0.10.2.2-3.5.1.x86_64", "product": { "name": "kafka-zookeeper-0.10.2.2-3.5.1.x86_64", "product_id": "kafka-zookeeper-0.10.2.2-3.5.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-3.4.13-3.12.1.x86_64", "product": { "name": "libzookeeper2-3.4.13-3.12.1.x86_64", "product_id": "libzookeeper2-3.4.13-3.12.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.12.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.13-3.12.1.x86_64", "product_id": "libzookeeper2-devel-3.4.13-3.12.1.x86_64" } }, { "category": "product_version", "name": "logstash-2.4.1-7.6.1.x86_64", "product": { "name": "logstash-2.4.1-7.6.1.x86_64", "product_id": "logstash-2.4.1-7.6.1.x86_64" } }, { "category": "product_version", "name": "storm-1.2.3-3.8.1.x86_64", "product": { "name": "storm-1.2.3-3.8.1.x86_64", "product_id": "storm-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.8.1.x86_64", "product": { "name": "storm-doc-1.2.3-3.8.1.x86_64", "product_id": "storm-doc-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.8.1.x86_64", "product": { "name": "storm-logviewer-1.2.3-3.8.1.x86_64", "product_id": "storm-logviewer-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.8.1.x86_64", "product": { "name": "storm-nimbus-1.2.3-3.8.1.x86_64", "product_id": "storm-nimbus-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.8.1.x86_64", "product": { "name": "storm-pacemaker-1.2.3-3.8.1.x86_64", "product_id": "storm-pacemaker-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.8.1.x86_64", "product": { "name": "storm-supervisor-1.2.3-3.8.1.x86_64", "product_id": "storm-supervisor-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.8.1.x86_64", "product": { "name": "storm-ui-1.2.3-3.8.1.x86_64", "product_id": "storm-ui-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.8.1.x86_64", "product": { "name": "storm-zookeeper-1.2.3-3.8.1.x86_64", "product_id": "storm-zookeeper-1.2.3-3.8.1.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.12.1.x86_64", "product": { "name": "zookeeper-client-3.4.13-3.12.1.x86_64", "product_id": "zookeeper-client-3.4.13-3.12.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE OpenStack Cloud 9", "product": { "name": "SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:9" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 9", "product": { "name": "SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-6.6.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch" }, "product_reference": "elasticsearch-2.4.2-6.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-3.5.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64" }, "product_reference": "kafka-0.10.2.2-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-7.6.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64" }, "product_reference": "logstash-2.4.1-7.6.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-5.6.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "spark-2.2.3-5.9.2.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch" }, "product_reference": "spark-2.2.3-5.9.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch" }, "product_reference": "venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch" }, "product_reference": "venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch" }, "product_reference": "venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch" }, "product_reference": "venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch" }, "product_reference": "venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch" }, "product_reference": "venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch" }, "product_reference": "venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch" }, "product_reference": "venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch" }, "product_reference": "venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch" }, "product_reference": "venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch" }, "product_reference": "venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch" }, "product_reference": "venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch" }, "product_reference": "venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch" }, "product_reference": "venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch" }, "product_reference": "venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch" }, "product_reference": "venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.12.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "elasticsearch-2.4.2-6.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch" }, "product_reference": "elasticsearch-2.4.2-6.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "kafka-0.10.2.2-3.5.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64" }, "product_reference": "kafka-0.10.2.2-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "logstash-2.4.1-7.6.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64" }, "product_reference": "logstash-2.4.1-7.6.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch" }, "product_reference": "openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-thresh-2.1.1-5.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch" }, "product_reference": "openstack-monasca-thresh-2.1.1-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "spark-2.2.3-5.9.2.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch" }, "product_reference": "spark-2.2.3-5.9.2.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.8.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.8.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.12.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.12.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T09:54:06Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2022-23302", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23302" } ], "notes": [ { "category": "general", "text": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23302", "url": "https://www.suse.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2022-23302", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T09:54:06Z", "details": "moderate" } ], "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23305" } ], "notes": [ { "category": "general", "text": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23305", "url": "https://www.suse.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "SUSE Bug 1194843 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1194843" }, { "category": "external", "summary": "SUSE Bug 1196392 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1196392" }, { "category": "external", "summary": "SUSE Bug 1225673 for CVE-2022-23305", "url": "https://bugzilla.suse.com/1225673" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T09:54:06Z", "details": "important" } ], "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2022-23307" } ], "notes": [ { "category": "general", "text": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2022-23307", "url": "https://www.suse.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "SUSE Bug 1194844 for CVE-2022-23307", "url": "https://bugzilla.suse.com/1194844" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev23-3.36.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev17-4.31.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev7-3.34.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.39.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.35.2.noarch", "SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev164-6.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev91-3.37.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.33.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.28.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.12.1.noarch", "SUSE OpenStack Cloud Crowbar 9:elasticsearch-2.4.2-6.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:kafka-0.10.2.2-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:logstash-2.4.1-7.6.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-persister-java-1.12.1~dev9-15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-thresh-2.1.1-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.18.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.9.2.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.8.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.12.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-02-09T09:54:06Z", "details": "important" } ], "title": "CVE-2022-23307" } ] }
suse-su-2021:4097-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for storm-kit", "title": "Title of the patch" }, { "category": "description", "text": "This update for storm-kit fixes the following issues:\n\n- Remove JndiLookup from log4j 2.x jars during build to\n prevent \u0027log4shell\u0027 code injection. (bsc#1193641, bsc#1193611, CVE-2021-44228)\n- Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled (bsc#1193641, bsc#1193662, CVE-2021-4104)\n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2021-4097,SUSE-OpenStack-Cloud-9-2021-4097,SUSE-OpenStack-Cloud-Crowbar-9-2021-4097", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_4097-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2021:4097-1", "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20214097-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2021:4097-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009912.html" }, { "category": "self", "summary": "SUSE Bug 1193611", "url": "https://bugzilla.suse.com/1193611" }, { "category": "self", "summary": "SUSE Bug 1193641", "url": "https://bugzilla.suse.com/1193641" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" }, { "category": "self", "summary": "SUSE CVE CVE-2021-44228 page", "url": "https://www.suse.com/security/cve/CVE-2021-44228/" } ], "title": "Security update for storm-kit", "tracking": { "current_release_date": "2021-12-15T10:32:17Z", "generator": { "date": "2021-12-15T10:32:17Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2021:4097-1", "initial_release_date": "2021-12-15T10:32:17Z", "revision_history": [ { "date": "2021-12-15T10:32:17Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.5.1.aarch64", "product": { "name": "storm-1.2.3-3.5.1.aarch64", "product_id": "storm-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.5.1.aarch64", "product": { "name": "storm-doc-1.2.3-3.5.1.aarch64", "product_id": "storm-doc-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.5.1.aarch64", "product": { "name": "storm-logviewer-1.2.3-3.5.1.aarch64", "product_id": "storm-logviewer-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.5.1.aarch64", "product": { "name": "storm-nimbus-1.2.3-3.5.1.aarch64", "product_id": "storm-nimbus-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.5.1.aarch64", "product": { "name": "storm-pacemaker-1.2.3-3.5.1.aarch64", "product_id": "storm-pacemaker-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.5.1.aarch64", "product": { "name": "storm-supervisor-1.2.3-3.5.1.aarch64", "product_id": "storm-supervisor-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.5.1.aarch64", "product": { "name": "storm-ui-1.2.3-3.5.1.aarch64", "product_id": "storm-ui-1.2.3-3.5.1.aarch64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.5.1.aarch64", "product": { "name": "storm-zookeeper-1.2.3-3.5.1.aarch64", "product_id": "storm-zookeeper-1.2.3-3.5.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "storm-kit-1.2.3-3.6.2.noarch", "product": { "name": "storm-kit-1.2.3-3.6.2.noarch", "product_id": "storm-kit-1.2.3-3.6.2.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.25.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.25.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.25.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.25.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.25.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.25.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.7.1~dev10-3.25.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-1.2.3-3.5.1.ppc64le", "product_id": "storm-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-doc-1.2.3-3.5.1.ppc64le", "product_id": "storm-doc-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-logviewer-1.2.3-3.5.1.ppc64le", "product_id": "storm-logviewer-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-nimbus-1.2.3-3.5.1.ppc64le", "product_id": "storm-nimbus-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-pacemaker-1.2.3-3.5.1.ppc64le", "product_id": "storm-pacemaker-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-supervisor-1.2.3-3.5.1.ppc64le", "product_id": "storm-supervisor-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-ui-1.2.3-3.5.1.ppc64le", "product_id": "storm-ui-1.2.3-3.5.1.ppc64le" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.5.1.ppc64le", "product": { "name": "storm-zookeeper-1.2.3-3.5.1.ppc64le", "product_id": "storm-zookeeper-1.2.3-3.5.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "storm-1.2.3-3.5.1.x86_64", "product": { "name": "storm-1.2.3-3.5.1.x86_64", "product_id": "storm-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-doc-1.2.3-3.5.1.x86_64", "product": { "name": "storm-doc-1.2.3-3.5.1.x86_64", "product_id": "storm-doc-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-logviewer-1.2.3-3.5.1.x86_64", "product": { "name": "storm-logviewer-1.2.3-3.5.1.x86_64", "product_id": "storm-logviewer-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-nimbus-1.2.3-3.5.1.x86_64", "product": { "name": "storm-nimbus-1.2.3-3.5.1.x86_64", "product_id": "storm-nimbus-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-pacemaker-1.2.3-3.5.1.x86_64", "product": { "name": "storm-pacemaker-1.2.3-3.5.1.x86_64", "product_id": "storm-pacemaker-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-supervisor-1.2.3-3.5.1.x86_64", "product": { "name": "storm-supervisor-1.2.3-3.5.1.x86_64", "product_id": "storm-supervisor-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-ui-1.2.3-3.5.1.x86_64", "product": { "name": "storm-ui-1.2.3-3.5.1.x86_64", "product_id": "storm-ui-1.2.3-3.5.1.x86_64" } }, { "category": "product_version", "name": "storm-zookeeper-1.2.3-3.5.1.x86_64", "product": { "name": "storm-zookeeper-1.2.3-3.5.1.x86_64", "product_id": "storm-zookeeper-1.2.3-3.5.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE OpenStack Cloud 9", "product": { "name": "SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:9" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 9", "product": { "name": "SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-nimbus-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-nimbus-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "storm-supervisor-1.2.3-3.5.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" }, "product_reference": "storm-supervisor-1.2.3-3.5.1.x86_64", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-12-15T10:32:17Z", "details": "moderate" } ], "title": "CVE-2021-4104" }, { "cve": "CVE-2021-44228", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-44228" } ], "notes": [ { "category": "general", "text": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] }, "references": [ { "category": "external", "summary": "CVE-2021-44228", "url": "https://www.suse.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "SUSE Bug 1193611 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193611" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193743 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193743" }, { "category": "external", "summary": "SUSE Bug 1193795 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1193795" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194123 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1194123" }, { "category": "external", "summary": "SUSE Bug 1202994 for CVE-2021-44228", "url": "https://bugzilla.suse.com/1202994" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:storm-supervisor-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1.noarch", "SUSE OpenStack Cloud Crowbar 9:storm-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-nimbus-1.2.3-3.5.1.x86_64", "SUSE OpenStack Cloud Crowbar 9:storm-supervisor-1.2.3-3.5.1.x86_64" ] } ], "threats": [ { "category": "impact", "date": "2021-12-15T10:32:17Z", "details": "critical" } ], "title": "CVE-2021-44228" } ] }
suse-su-2022:0133-1
Vulnerability from csaf_suse
Notes
{ "document": { "aggregate_severity": { "namespace": "https://www.suse.com/support/security/rating/", "text": "important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright 2024 SUSE LLC. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Security update for openstack-monasca-agent, spark, spark-kit, zookeeper", "title": "Title of the patch" }, { "category": "description", "text": "This update for openstack-monasca-agent, spark, spark-kit, zookeeper fixes the following issues:\n\n- CVE-2021-4104: Remove JMSAppender from log4j jars (bsc#1193662) \n", "title": "Description of the patch" }, { "category": "details", "text": "SUSE-2022-133,SUSE-OpenStack-Cloud-9-2022-133,SUSE-OpenStack-Cloud-Crowbar-9-2022-133", "title": "Patchnames" }, { "category": "legal_disclaimer", "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", "title": "Terms of use" } ], "publisher": { "category": "vendor", "contact_details": "https://www.suse.com/support/security/contact/", "name": "SUSE Product Security Team", "namespace": "https://www.suse.com/" }, "references": [ { "category": "external", "summary": "SUSE ratings", "url": "https://www.suse.com/support/security/rating/" }, { "category": "self", "summary": "URL of this CSAF notice", "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_0133-1.json" }, { "category": "self", "summary": "URL for SUSE-SU-2022:0133-1", "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20220133-1/" }, { "category": "self", "summary": "E-Mail link for SUSE-SU-2022:0133-1", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010032.html" }, { "category": "self", "summary": "SUSE Bug 1193662", "url": "https://bugzilla.suse.com/1193662" }, { "category": "self", "summary": "SUSE CVE CVE-2021-4104 page", "url": "https://www.suse.com/security/cve/CVE-2021-4104/" } ], "title": "Security update for openstack-monasca-agent, spark, spark-kit, zookeeper", "tracking": { "current_release_date": "2022-01-20T09:01:50Z", "generator": { "date": "2022-01-20T09:01:50Z", "engine": { "name": "cve-database.git:bin/generate-csaf.pl", "version": "1" } }, "id": "SUSE-SU-2022:0133-1", "initial_release_date": "2022-01-20T09:01:50Z", "revision_history": [ { "date": "2022-01-20T09:01:50Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.9.1.aarch64", "product": { "name": "libzookeeper2-3.4.13-3.9.1.aarch64", "product_id": "libzookeeper2-3.4.13-3.9.1.aarch64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.9.1.aarch64", "product": { "name": "libzookeeper2-devel-3.4.13-3.9.1.aarch64", "product_id": "libzookeeper2-devel-3.4.13-3.9.1.aarch64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.9.1.aarch64", "product": { "name": "zookeeper-client-3.4.13-3.9.1.aarch64", "product_id": "zookeeper-client-3.4.13-3.9.1.aarch64" } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "product": { "name": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "product_id": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch" } }, { "category": "product_version", "name": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "product": { "name": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "product_id": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch" } }, { "category": "product_version", "name": "spark-2.2.3-5.6.1.noarch", "product": { "name": "spark-2.2.3-5.6.1.noarch", "product_id": "spark-2.2.3-5.6.1.noarch" } }, { "category": "product_version", "name": "spark-kit-2.2.3-4.3.1.noarch", "product": { "name": "spark-kit-2.2.3-4.3.1.noarch", "product_id": "spark-kit-2.2.3-4.3.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.29.1.noarch", "product": { "name": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.29.1.noarch", "product_id": "venv-openstack-monasca-aarch64-2.7.1~dev10-3.29.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.29.1.noarch", "product": { "name": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.29.1.noarch", "product_id": "venv-openstack-monasca-ppc64le-2.7.1~dev10-3.29.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.29.1.noarch", "product": { "name": "venv-openstack-monasca-s390x-2.7.1~dev10-3.29.1.noarch", "product_id": "venv-openstack-monasca-s390x-2.7.1~dev10-3.29.1.noarch" } }, { "category": "product_version", "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "product": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "product_id": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch" } }, { "category": "product_version", "name": "zookeeper-server-3.4.13-3.9.1.noarch", "product": { "name": "zookeeper-server-3.4.13-3.9.1.noarch", "product_id": "zookeeper-server-3.4.13-3.9.1.noarch" } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.9.1.ppc64le", "product": { "name": "libzookeeper2-3.4.13-3.9.1.ppc64le", "product_id": "libzookeeper2-3.4.13-3.9.1.ppc64le" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.9.1.ppc64le", "product": { "name": "libzookeeper2-devel-3.4.13-3.9.1.ppc64le", "product_id": "libzookeeper2-devel-3.4.13-3.9.1.ppc64le" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.9.1.ppc64le", "product": { "name": "zookeeper-client-3.4.13-3.9.1.ppc64le", "product_id": "zookeeper-client-3.4.13-3.9.1.ppc64le" } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.9.1.s390x", "product": { "name": "libzookeeper2-3.4.13-3.9.1.s390x", "product_id": "libzookeeper2-3.4.13-3.9.1.s390x" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.9.1.s390x", "product": { "name": "libzookeeper2-devel-3.4.13-3.9.1.s390x", "product_id": "libzookeeper2-devel-3.4.13-3.9.1.s390x" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.9.1.s390x", "product": { "name": "zookeeper-client-3.4.13-3.9.1.s390x", "product_id": "zookeeper-client-3.4.13-3.9.1.s390x" } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "libzookeeper2-3.4.13-3.9.1.x86_64", "product": { "name": "libzookeeper2-3.4.13-3.9.1.x86_64", "product_id": "libzookeeper2-3.4.13-3.9.1.x86_64" } }, { "category": "product_version", "name": "libzookeeper2-devel-3.4.13-3.9.1.x86_64", "product": { "name": "libzookeeper2-devel-3.4.13-3.9.1.x86_64", "product_id": "libzookeeper2-devel-3.4.13-3.9.1.x86_64" } }, { "category": "product_version", "name": "zookeeper-client-3.4.13-3.9.1.x86_64", "product": { "name": "zookeeper-client-3.4.13-3.9.1.x86_64", "product_id": "zookeeper-client-3.4.13-3.9.1.x86_64" } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_name", "name": "SUSE OpenStack Cloud 9", "product": { "name": "SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud:9" } } }, { "category": "product_name", "name": "SUSE OpenStack Cloud Crowbar 9", "product": { "name": "SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9", "product_identification_helper": { "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9" } } } ], "category": "product_family", "name": "SUSE Linux Enterprise" } ], "category": "vendor", "name": "SUSE" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "spark-2.2.3-5.6.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:spark-2.2.3-5.6.1.noarch" }, "product_reference": "spark-2.2.3-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch" }, "product_reference": "venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.9.1.noarch as component of SUSE OpenStack Cloud 9", "product_id": "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.9.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud 9" }, { "category": "default_component_of", "full_product_name": { "name": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch" }, "product_reference": "openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch" }, "product_reference": "python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "spark-2.2.3-5.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.6.1.noarch" }, "product_reference": "spark-2.2.3-5.6.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" }, { "category": "default_component_of", "full_product_name": { "name": "zookeeper-server-3.4.13-3.9.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", "product_id": "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.9.1.noarch" }, "product_reference": "zookeeper-server-3.4.13-3.9.1.noarch", "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "ids": [ { "system_name": "SUSE CVE Page", "text": "https://www.suse.com/security/cve/CVE-2021-4104" } ], "notes": [ { "category": "general", "text": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "title": "CVE description" } ], "product_status": { "recommended": [ "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.9.1.noarch" ] }, "references": [ { "category": "external", "summary": "CVE-2021-4104", "url": "https://www.suse.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "SUSE Bug 1193662 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193662" }, { "category": "external", "summary": "SUSE Bug 1193978 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1193978" }, { "category": "external", "summary": "SUSE Bug 1194016 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194016" }, { "category": "external", "summary": "SUSE Bug 1194842 for CVE-2021-4104", "url": "https://bugzilla.suse.com/1194842" } ], "remediations": [ { "category": "vendor_fix", "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", "product_ids": [ "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.9.1.noarch" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "SUSE OpenStack Cloud 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.29.1.noarch", "SUSE OpenStack Cloud 9:zookeeper-server-3.4.13-3.9.1.noarch", "SUSE OpenStack Cloud Crowbar 9:openstack-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:python-monasca-agent-2.8.2~dev5-3.15.1.noarch", "SUSE OpenStack Cloud Crowbar 9:spark-2.2.3-5.6.1.noarch", "SUSE OpenStack Cloud Crowbar 9:zookeeper-server-3.4.13-3.9.1.noarch" ] } ], "threats": [ { "category": "impact", "date": "2022-01-20T09:01:50Z", "details": "moderate" } ], "title": "CVE-2021-4104" } ] }
CERTFR-2021-ALE-022
Vulnerability from certfr_alerte
Une vulnérabilité a été découverte dans la bibliothèque de journalisation Apache log4j. Cette bibliothèque est très souvent utilisée dans les projets de développement d'application Java/J2EE ainsi que par les éditeurs de solutions logicielles sur étagère basées sur Java/J2EE.
Cette vulnérabilité permet à un attaquant de provoquer une exécution de code arbitraire à distance s'il a la capacité de soumettre une donnée à une application qui utilise la bibliothèque log4j pour journaliser l'évènement. Cette attaque peut être réalisée sans être authentifié, par exemple en tirant parti d'une page d'authentification qui journalise les erreurs d'authentification.
Des preuves de concept ont déjà été publiées. Cette vulnérabilité fait désormais l'objet d'une exploitation active.
Détection
Le CERT-FR recommande de réaliser une analyse approfondie des journaux réseau. Les motifs suivants permettent d'identifier une tentative d'exploitation de cette vulnérabilité lorsqu'ils sont utilisés dans les URLs ou certaines en-têtes HTTP comme *user-agent* : > > > > > > > \${jndi: > > > > > > > > \$%7Bjndi: (prend en compte un obscurcissement simple) > > > > > > > > Cependant, les attaquants peuvent utiliser des moyens d’obscurcissement pour contourner les motifs de détection précédents. Les motifs suivants permettent de prendre en compte certaines méthodes d'obscurcissement mais peuvent provoquer des faux positifs :Afin de déterminer si une tentative d'exploitation a réussi, et dans le cas où vous disposeriez de journaux contenant des requêtes DNS, il est recommandé de les corréler aux résultats des motifs précédemment énoncés. En effet, si l’exécution d'une requête de type *\${jndi:xxx://nom.domaine.com}* a fonctionné, une résolution DNS sera alors effectuée pour résoudre le nom de domaine externe *nom*.*domaine.com*. L'émission d'une requête DNS peut également faire l'objet d'une trace dans les journaux du serveur applicatif. Ainsi, il peut être utile de chercher le motif *com.sun.jndi.dns.DnsContext@* dans ces journaux. Note : une résolution de domaine externe ne signifie pas qu'une exécution de code a réussi mais permet de confirmer que l'application est vulnérable. Il sera donc nécessaire de poursuivre l'analyse des journaux pour détecter une compromission. En complément des informations ci-dessus, une requête de type *\${jndi:dns://serveur_dns/enregistrement_TXT}* est également utilisable par l'attaquant pour tester la présence de la vulnérabilité. Il est également intéressant de rechercher les motifs suivants dans les fichiers journaux des applications :\${\${
\${::-
%24%7B%3A%3A-
\${env:
\${date:
\${lower:
\${upper:
hostName}
}\${
\${ (génère beaucoup de faux positifs, mais très exhaustif)
- le motif com.sun.jndi.ldap.LdapCtx@ (et non pas com.sun.jndi.dns.DnsContext@ comme indiqué précédemment) apparaîtra lorsqu'une injection LDAP est utilisée pour récupérer du contenu qui ne serait pas un objet java au standard rfc2713 : il peut s'agir d'un scan de détection ou d'une tentative erronée d'un attaquant
- l'injection sera enregistrée dans les journaux telle qu'elle a été soumise par l'attaquant si le serveur LDAP n'est pas joignable ou si l'objet qu'il souhaitait télécharger n'est pas trouvé sur le serveur LDAP : il est donc possible de trouver des tentatives d'injection sous une forme obscurcie dans les journaux, les motifs précédemment listés peuvent donc être utilisés pour identifier toutes les tentatives
- une erreur contenant le motif "Reference Class Name:" suivi d'un nom de classe puis des lignes commençant par "Type:" et "Content:" peut apparaître dans les journaux si l'injection LDAP fonctionne mais que la classe contenant la charge utile ne peut pas être récupérée sur le serveur LDAP visé
- il peut être intéressant de chercher des injections en DNS et LDAP
basées sur la classe JavaLookup tels que \${java:hw},
\${java:vm} et \${java:os}. Ces dernières sont utilisées par les
attaquants pour obtenir des informations sur la machine ciblée.*
*
[Mise à jour du 07 janvier 2022] Le CERT-FR propose au téléchargement un ensemble de règles de détection basées sur la syntaxe utilisée par l'outil suricata. Ces règles peuvent être mises en œuvre, après adaptation, sur un équipement de détection réseau ou un pare-feu applicatif. Un guide de mise en œuvre est également proposé.
### Précisions sur les CVE-2021-45046 et CVE-2021-45105 La version 2.15.0 recommandée jusqu'à présent est affectée par une autre vulnérabilité, désignée par l'identifiant CVE-2021-45046 \[4\]. Cette vulnérabilité permet à un attaquant non authentifié d'effectuer un déni de service. Par ailleurs, des chercheurs ont mis en évidence la possibilité d'exfiltrer des données dans certaines configurations non détaillées. Par ailleurs, les versions 2.16.0 et 2.12.2 sont affectées par une nouvelle vulnérabilité, désignée par l'identifiant CVE-2021-45105 \[5\], qui permet de provoquer un déni de service à distance. ### Précisions sur la CVE-2021-44832 La version 2.17.0 recommandée jusqu'à présent est affectée par une vulnérabilité, désignée par l'identifiant CVE-2021-44832 \[6\]. Cette vulnérabilité permet à un attaquant, autorisé à modifier le fichier de configuration Log4J, d'effectuer une exécution de code à distance. La complexité de l'attaque étant élevée, le CERT-FR continue de recommander la mise à jour des composants Log4j à la version 2.17.0 pour java 8 et 2.12.3 pour java7. Par ailleurs, il est fortement recommandé de rester attentif aux nouvelles vulnérabilités Log4j qui pourraient être identifiées à l'avenir ainsi qu'aux correctifs proposés par Apache. ### Précisions sur les modes d'attaque Il convient également de noter que des techniques permettent d'exploiter la vulnérabilité localement sans recourir à un serveur tiers malveillant. L'attaquant peut injecter un code malveillant dans la requête initiale s'il a suffisamment d'informations sur l'application vulnérable qu'il cible. Cette attaque requiert donc une première phase de reconnaissance et de collecte de données. Cette phase est possible tant que n'ont pas été appliqués : d'une part, un filtrage réseau adéquat et d'autre part, le correctif ou, à défaut, les mesures de contournement. Il est donc important de disposer des journaux de ces environnements pour rechercher des éventuelles traces d'exfiltration de données. Les moyens de détection précédemment peuvent être utilisés à cette fin. Pour rappel : une application utilisant une version non vulnérable de log4j peut transmettre des données à une autre application qui utilise une version vulnérable de cette bibliothèque. L’attaquant pourra exploiter la vulnérabilité dans la seconde application en soumettant une donnée malveillante via la première. Par conséquent, le CERT-FR recommande de ne pas limiter l'identification de la vulnérabilité aux seules applications exposées sur Internet, mais également aux applications internes. L'utilisation d'outils tels que ceux listés ci-dessous facilitera leur identification.Contournement provisoire
La version 1 de log4j a été initialement déclarée vulnérable cependant la vulnérabilité n'existe que si le composant JMS Appender est configuré pour prendre en compte JNDI. Il s'agit donc d'une configuration très spécifique [1][3].
Il est recommandé d'utiliser une version à jour de l'environnement d'exécution Java (les versions 8u191 et ultérieures apportent des restrictions pour les appels JNDI basés sur LDAP et RMI), cependant les codes d'exploitation les plus récents sont en mesure de contourner ces protections pour continuer d'exploiter la vulnérabilité.
La mise en place de filtres au niveau de vos pare-feux applicatifs pour bloquer les tentatives d'exploitation de cette vulnérabilité peut constituer une première mesure d'urgence mais elle reste insuffisante : les attaquants utilisent différentes techniques d'obscurcissement des données injectées pour contourner ces filtres.
Les contournements proposés initialement ne permettent plus de se prémunir contre certaines formes d'exploitation. Face à la possibilité que d'autres exploitations soient encore découvertes y compris pour la version 2.15.0, le CERT-FR recommande d'utiliser les versions les plus à jour de la bibliothèque.
En cas d'impossibilité de migration, il reste possible de supprimer la classe Java vulnérable. Cette opération impose de tester le fonctionnement de l'application afin d'identifier les impacts de la modification sur son fonctionnement.
Cette suppression peut par exemple être effectuée avec la commande suivante : zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Outillage
- Des outils de recherche de la bibliothèque Log4j sont proposés par le **CERT/CC** (non qualifiés par le CERT-FR) : - Le site du **NCSC-NL** recense également des outils, qui n'ont pas été qualifiés par le NCSC-NL ni par le CERT-FR : - La **CISA** a publié un scanner basé sur des outils issus de la communauté open-source :Solution
Il est fortement recommandé aux utilisateurs d'applications ou de logiciels sur étagère basés sur la technologie Java/J2EE :
- de conserver les journaux a minima depuis le 1er décembre 2021 à des fins d'analyse ultérieure ;
- de préparer sans délai des mesures de préservation en cas d'incident majeur, notamment par la mise hors ligne de sauvegardes à jour ;
- de filtrer et de journaliser les flux sortants des serveurs pour les limiter aux seuls flux autorisés vers des services de confiance ;
- de prendre contact avec le développeur ou l'éditeur pour vérifier s'ils sont exposés à cette vulnérabilité et si un correctif est disponible.
Il est fortement recommandé aux développeurs/éditeurs :
- d'inventorier les solutions affectées par les vulnérabilités ;
- d'informer les utilisateurs et clients de leurs statuts et des actions en cours ;
- de corriger les solutions en utilisant à minima la version 2.17.0 pour java 8 ou la version 2.12.3 pour java 7 et idéalement la version 2.17.1 pour java 8 ou la version 2.12.4 pour java 7 ;
- de fournir une nouvelle version de leurs solutions dans les plus brefs délais.
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
La mise à jour d’un produit ou d’un logiciel est une opération délicate qui doit être menée avec prudence. Il est notamment recommandé d’effectuer des tests autant que possible. Des dispositions doivent également être prises pour garantir la continuité de service en cas de difficultés lors de l’application des mises à jour comme des correctifs ou des changements de version.
Vendor | Product | Description | ||
---|---|---|---|---|
Apache | N/A | Apache Log4j versions 2.0 à 2.14.1 | ||
Apache | N/A | Apache Log4j versions 1.x (versions obsolètes) sous réserve d'une configuration particulière, cf. ci-dessous | ||
Apache | N/A | Apache Log4j version 2.15.0 | ||
Apache | N/A | Les produits utilisant une version vulnérable de Apache Log4j : les CERT nationaux européens tiennent à jour une liste complète des produits et de leur statut vis-à-vis de la vulnérabilité [2] | ||
Apache | N/A | Apache Log4j versions 2.16.0 et 2.12.2 (java 7) |
Title | Publication Time | Tags | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Apache Log4j versions 2.0 \u00e0 2.14.1", "product": { "name": "N/A", "vendor": { "name": "Apache", "scada": false } } }, { "description": "Apache Log4j versions 1.x (versions obsol\u00e8tes) sous r\u00e9serve d\u0027une configuration particuli\u00e8re, cf. ci-dessous", "product": { "name": "N/A", "vendor": { "name": "Apache", "scada": false } } }, { "description": "Apache Log4j version 2.15.0", "product": { "name": "N/A", "vendor": { "name": "Apache", "scada": false } } }, { "description": "Les produits utilisant une version vuln\u00e9rable de Apache Log4j : les CERT nationaux europ\u00e9ens tiennent \u00e0 jour une liste compl\u00e8te des produits et de leur statut vis-\u00e0-vis de la vuln\u00e9rabilit\u00e9 [2]", "product": { "name": "N/A", "vendor": { "name": "Apache", "scada": false } } }, { "description": "Apache Log4j versions 2.16.0 et 2.12.2 (java 7)", "product": { "name": "N/A", "vendor": { "name": "Apache", "scada": false } } } ], "affected_systems_content": "", "closed_at": "2022-05-04", "content": "## Contournement provisoire\n\nLa version 1 de log4j a \u00e9t\u00e9 initialement d\u00e9clar\u00e9e vuln\u00e9rable cependant\nla vuln\u00e9rabilit\u00e9 n\u0027existe que si le composant *JMS Appender* est\nconfigur\u00e9 pour prendre en compte *JNDI*. Il s\u0027agit donc d\u0027une\nconfiguration tr\u00e8s sp\u00e9cifique \\[1\\]\\[3\\].\n\nIl est recommand\u00e9 d\u0027utiliser une version \u00e0 jour de l\u0027environnement\nd\u0027ex\u00e9cution Java (les versions 8u191 et ult\u00e9rieures apportent des\nrestrictions pour les appels JNDI bas\u00e9s sur LDAP et RMI), cependant les\ncodes d\u0027exploitation les plus r\u00e9cents sont en mesure de contourner ces\nprotections pour continuer d\u0027exploiter la vuln\u00e9rabilit\u00e9.\n\n\u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\nclass=\"mx_EventTile_body\" dir=\"auto\"\u003eLa mise en place de filtres au\nniveau de vos pare-feux applicatifs pour bloquer les tentatives\nd\u0027exploitation de cette vuln\u00e9rabilit\u00e9 peut constituer une premi\u00e8re\nmesure d\u0027urgence mais elle reste insuffisante : les attaquants utilisent\ndiff\u00e9rentes techniques d\u0027obscurcissement des donn\u00e9es inject\u00e9es pour\ncontourner ces filtres. \u003c/span\u003e\u003c/span\u003e\n\n**Les contournements propos\u00e9s initialement ne permettent plus de se\npr\u00e9munir contre certaines formes d\u0027exploitation. Face \u00e0 la possibilit\u00e9\nque d\u0027autres exploitations soient encore d\u00e9couvertes y compris pour la\nversion 2.15.0, le CERT-FR recommande d\u0027utiliser les versions les plus \u00e0\njour de la biblioth\u00e8que.**\n\nEn cas d\u0027impossibilit\u00e9 de migration, il reste possible de **supprimer la\nclasse Java vuln\u00e9rable**. Cette op\u00e9ration impose de tester le\nfonctionnement de l\u0027application afin d\u0027identifier les impacts de la\nmodification sur son fonctionnement.\n\nCette suppression peut par exemple \u00eatre effectu\u00e9e avec la commande\nsuivante : *zip -q -d log4j-core-\\*.jar\norg/apache/logging/log4j/core/lookup/JndiLookup.class*\n\n### Outillage\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n- Des outils de recherche de la biblioth\u00e8que Log4j sont propos\u00e9s par\n le **CERT/CC** (non qualifi\u00e9s par le CERT-FR) :\n \u003chttps://github.com/CERTCC/CVE-2021-44228_scanner\u003e\n- Le site du **NCSC-NL** recense \u00e9galement des outils, qui n\u0027ont pas\n \u00e9t\u00e9 qualifi\u00e9s par le NCSC-NL ni par le CERT-FR :\n \u003chttps://github.com/NCSC-NL/log4shell/tree/main/scanning\u003e\n- La **CISA** a publi\u00e9 un scanner bas\u00e9 sur des outils issus de la\n communaut\u00e9 open-source : \u003chttps://github.com/cisagov/log4j-scanner\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n## Solution\n\nIl est fortement recommand\u00e9 \u003cu\u003eaux utilisateurs\u003c/u\u003e d\u0027applications ou de\nlogiciels sur \u00e9tag\u00e8re bas\u00e9s sur la technologie Java/J2EE :\n\n- de conserver les journaux a minima depuis le 1er d\u00e9cembre 2021 \u00e0 des\n fins d\u0027analyse ult\u00e9rieure ;\n- de pr\u00e9parer sans d\u00e9lai des mesures de pr\u00e9servation en cas d\u0027incident\n majeur, notamment par la mise hors ligne de sauvegardes \u00e0 jour ;\n- de filtrer et de journaliser les flux sortants des serveurs pour les\n limiter aux seuls flux autoris\u00e9s vers des services de confiance ;\n- de prendre contact avec le d\u00e9veloppeur ou l\u0027\u00e9diteur pour v\u00e9rifier\n s\u0027ils sont expos\u00e9s \u00e0 cette vuln\u00e9rabilit\u00e9 et si un correctif est\n disponible.\n\nIl est fortement recommand\u00e9 aux \u003cu\u003ed\u00e9veloppeurs/\u00e9diteurs\u003c/u\u003e :\n\n- d\u0027inventorier les solutions affect\u00e9es par les vuln\u00e9rabilit\u00e9s ;\n- d\u0027informer les utilisateurs et clients de leurs statuts et des\n actions en cours ;\n- de corriger les solutions en utilisant **\u00e0 minima la version 2.17.0\n pour java 8** ou **la version 2.12.3 pour java 7** et **id\u00e9alement\n la version 2.17.1 pour java 8** ou **la version 2.12.4 pour java 7**\n ;\n- de fournir une nouvelle version de leurs solutions dans les plus\n brefs d\u00e9lais.\n\n\u00a0\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n\n\u00a0\n\n------------------------------------------------------------------------\n\nLa mise \u00e0 jour d\u2019un produit ou d\u2019un logiciel est une op\u00e9ration d\u00e9licate\nqui doit \u00eatre men\u00e9e avec prudence. Il est notamment recommand\u00e9\nd\u2019effectuer des tests autant que possible. Des dispositions doivent\n\u00e9galement \u00eatre prises pour garantir la continuit\u00e9 de service en cas de\ndifficult\u00e9s lors de l\u2019application des mises \u00e0 jour comme des correctifs\nou des changements de version.\n\n", "cves": [ { "name": "CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "name": "CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "name": "CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "name": "CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "name": "CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" } ], "initial_release_date": "2021-12-10T00:00:00", "last_revision_date": "2022-05-04T00:00:00", "links": [ { "title": "[6] R\u00e9f\u00e9rence CVE CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "title": "[1]", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "title": "[5] R\u00e9f\u00e9rence CVE CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "title": "R\u00e9f\u00e9rence CVE CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "title": "[4] R\u00e9f\u00e9rence CVE CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "title": "[2] liste des produits et de leurs statuts vis-\u00e0-vis de la vuln\u00e9rabilit\u00e9", "url": "https://github.com/NCSC-NL/log4shell/tree/main/software" }, { "title": "Bulletin de s\u00e9curit\u00e9 Apache du 09 d\u00e9cembre 2021", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "title": "[3] R\u00e9f\u00e9rence CVE CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" } ], "reference": "CERTFR-2021-ALE-022", "revisions": [ { "description": "Version initiale", "revision_date": "2021-12-10T00:00:00.000000" }, { "description": "Compl\u00e9ment concernant les versions vuln\u00e9rables", "revision_date": "2021-12-12T00:00:00.000000" }, { "description": "compl\u00e9ment concernant la jre", "revision_date": "2021-12-12T00:00:00.000000" }, { "description": "ajout d\u0027aide \u00e0 la d\u00e9tection, note sur l\u0027utilisation des pare-feux applicatifs, compl\u00e9ment sur les solutions.", "revision_date": "2021-12-14T00:00:00.000000" }, { "description": "Ajout de r\u00e9f\u00e9rence vers les outils de d\u00e9tection et note importante sur les m\u00e9thodes d\u0027attaque ainsi que les derni\u00e8res versions de log4j", "revision_date": "2021-12-15T00:00:00.000000" }, { "description": "Evolution de la section solution", "revision_date": "2021-12-16T00:00:00.000000" }, { "description": "prise en compte de la CVE-2021-45105 et ajout d\u0027\u00e9l\u00e9ments d\u0027aide \u00e0 la d\u00e9tection", "revision_date": "2021-12-20T00:00:00.000000" }, { "description": "correction motif de d\u00e9tection, compl\u00e9ment outillage, note sur la possibilit\u00e9 d\u0027exploiter la vuln\u00e9rabilit\u00e9 sur une application interne", "revision_date": "2021-12-22T00:00:00.000000" }, { "description": "Prise en compte de la CVE-2021-44832", "revision_date": "2022-01-05T00:00:00.000000" }, { "description": "correction date 05 janvier 2022, ajout du fichier signatures", "revision_date": "2022-01-07T00:00:00.000000" }, { "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.", "revision_date": "2022-05-04T00:00:00.000000" } ], "risks": [ { "description": "Ex\u00e9cution de code arbitraire \u00e0 distance" } ], "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans la biblioth\u00e8que de\njournalisation Apache log4j. Cette biblioth\u00e8que est tr\u00e8s souvent\nutilis\u00e9e dans les projets de d\u00e9veloppement d\u0027application Java/J2EE ainsi\nque par les \u00e9diteurs de solutions logicielles sur \u00e9tag\u00e8re bas\u00e9es sur\nJava/J2EE.\n\nCette vuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance s\u0027il a la capacit\u00e9 de soumettre une donn\u00e9e \u00e0\nune application qui utilise la biblioth\u00e8que log4j pour journaliser\nl\u0027\u00e9v\u00e8nement. Cette attaque peut \u00eatre r\u00e9alis\u00e9e sans \u00eatre authentifi\u00e9, par\nexemple en tirant parti d\u0027une page d\u0027authentification qui journalise les\nerreurs d\u0027authentification.\n\nDes preuves de concept ont d\u00e9j\u00e0 \u00e9t\u00e9 publi\u00e9es. Cette vuln\u00e9rabilit\u00e9 fait\nd\u00e9sormais l\u0027objet d\u0027une exploitation active.\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n### D\u00e9tection\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nLe CERT-FR recommande de r\u00e9aliser une analyse approfondie des journaux\nr\u00e9seau. Les motifs suivants permettent d\u0027identifier une tentative\nd\u0027exploitation de cette vuln\u00e9rabilit\u00e9 lorsqu\u0027ils sont utilis\u00e9s dans les\nURLs ou certaines en-t\u00eates HTTP comme *user-agent* :\n\n\u003c/div\u003e\n\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \\${jndi:\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \\$%7Bjndi:\u00a0\u00a0\u00a0\u00a0 (prend en compte un obscurcissement simple)\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nCependant, les attaquants peuvent utiliser des moyens d\u2019obscurcissement\npour contourner les motifs de d\u00e9tection pr\u00e9c\u00e9dents. Les motifs suivants\npermettent de prendre en compte certaines m\u00e9thodes d\u0027obscurcissement\nmais \u003cstrong\u003epeuvent provoquer des faux positifs : \n\u003c/strong\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \\${\\${\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e\\${::-\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e%24%7B%3A%3A-\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e\\${env:\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e\\${date:\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e\\${lower:\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e\\${upper:\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003ehostName}\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n\u003e class=\"mx_EventTile_body\" dir=\"auto\"\u003e}\\${\u003c/span\u003e\u003c/span\u003e\n\u003e\n\u003e \u003c/div\u003e\n\u003e\n\u003e \u003cdiv markdown=\"1\"\u003e\n\u003e\n\u003e \\${\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (g\u00e9n\u00e8re beaucoup de faux positifs, mais tr\u00e8s\n\u003e exhaustif)\n\u003e\n\u003e \u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cspan style=\"color: #ff0000;\" darkreader-inline-color=\"\"\u003e\u003cstrong\u003e\u00a0\u003c/strong\u003e\u003c/span\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nAfin de d\u00e9terminer si une tentative d\u0027exploitation a r\u00e9ussi, et dans le\ncas o\u00f9 vous disposeriez de journaux contenant des requ\u00eates DNS, il est\nrecommand\u00e9 de les corr\u00e9ler aux r\u00e9sultats des motifs pr\u00e9c\u00e9demment\n\u00e9nonc\u00e9s. En effet, si l\u2019ex\u00e9cution d\u0027une requ\u00eate de type\n*\\${jndi:xxx://nom.domaine.com}* a fonctionn\u00e9, une r\u00e9solution DNS sera\nalors effectu\u00e9e pour r\u00e9soudre le nom de domaine externe\n*nom*.*domaine.com*. L\u0027\u00e9mission d\u0027une requ\u00eate DNS peut \u00e9galement faire\nl\u0027objet d\u0027une trace dans les journaux du serveur applicatif. Ainsi, il\npeut \u00eatre utile de chercher le motif *com.sun.jndi.dns.DnsContext@* dans\nces journaux.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nNote : une r\u00e9solution de domaine externe ne signifie pas qu\u0027une\nex\u00e9cution de code a r\u00e9ussi mais permet de \u003cstrong\u003econfirmer que l\u0027application\nest vuln\u00e9rable\u003c/strong\u003e. Il sera donc n\u00e9cessaire de poursuivre l\u0027analyse des\njournaux pour d\u00e9tecter une compromission.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nEn compl\u00e9ment des informations ci-dessus, une requ\u00eate de type\n*\\${jndi:dns://serveur_dns/enregistrement_TXT}* est \u00e9galement utilisable\npar l\u0027attaquant pour tester la pr\u00e9sence de la vuln\u00e9rabilit\u00e9.\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nIl est \u00e9galement int\u00e9ressant de rechercher les motifs suivants dans les\nfichiers journaux des applications :\n\n\u003c/div\u003e\n\n- le motif\u00a0*\u003cspan class=\"mx_MTextBody mx_EventTile_content\"\u003e\u003cspan\n class=\"mx_EventTile_body markdown-body\"\n dir=\"auto\"\u003ecom.sun.jndi.ldap.LdapCtx@\u003c/span\u003e\u003c/span\u003e* (et non pas\n *com.sun.jndi.dns.DnsContext@* comme indiqu\u00e9 pr\u00e9c\u00e9demment)\n appara\u00eetra lorsqu\u0027une injection LDAP est utilis\u00e9e pour r\u00e9cup\u00e9rer du\n contenu qui ne serait pas un objet java au standard rfc2713 : il\n peut s\u0027agir d\u0027un scan de d\u00e9tection ou d\u0027une tentative erron\u00e9e d\u0027un\n attaquant\n- l\u0027injection sera enregistr\u00e9e dans les journaux telle qu\u0027elle a \u00e9t\u00e9\n soumise par l\u0027attaquant si le serveur LDAP n\u0027est pas joignable ou si\n l\u0027objet qu\u0027il souhaitait t\u00e9l\u00e9charger n\u0027est pas trouv\u00e9 sur le serveur\n LDAP : il est donc possible de trouver des tentatives d\u0027injection\n sous une forme obscurcie dans les journaux, les motifs pr\u00e9c\u00e9demment\n list\u00e9s peuvent donc \u00eatre utilis\u00e9s pour identifier toutes les\n tentatives\n- une erreur contenant le motif \"Reference Class Name:\" suivi d\u0027un nom\n de classe puis des lignes commen\u00e7ant par \"*Type:*\" et \"*Content:*\"\n peut appara\u00eetre dans les journaux si l\u0027injection LDAP fonctionne\n mais que la classe contenant la charge utile ne peut pas \u00eatre\n r\u00e9cup\u00e9r\u00e9e sur le serveur LDAP vis\u00e9\n- il peut \u00eatre int\u00e9ressant de chercher des injections en DNS et LDAP\n bas\u00e9es sur la classe *JavaLookup* tels que *\\${java:hw}*,\n *\\${java:vm}* et *\\${java:os}*. Ces derni\u00e8res sont utilis\u00e9es par les\n attaquants pour obtenir des informations sur la machine cibl\u00e9e.* \n *\n\n\u003cspan style=\"color: #ff0000;\"\u003e\u003cstrong\u003e\\[Mise \u00e0 jour du 07 janvier\n2022\\]\u003c/strong\u003e\u003c/span\u003e Le CERT-FR propose au t\u00e9l\u00e9chargement un ensemble de\nr\u00e8gles de d\u00e9tection bas\u00e9es sur la syntaxe utilis\u00e9e par l\u0027outil suricata.\nCes r\u00e8gles peuvent \u00eatre mises en \u0153uvre, apr\u00e8s adaptation, sur un\n\u00e9quipement de d\u00e9tection r\u00e9seau ou un pare-feu applicatif. Un guide de\nmise en \u0153uvre est \u00e9galement propos\u00e9.\n\n- le guide est disponible \u003cspan style=\"color: #ff0000;\"\u003e\u003ca\n href=\"/uploads/ANSSI_Detection_log4j_NP_TLP_WHITE_v1.0.6.pdf\"\n style=\"color: #ff0000;\"\u003eici\u003c/a\u003e\u003c/span\u003e.\n- les r\u00e8gles sont disponibles\n [ici](/uploads/anssi_cve_2021_44228_and_jndi_export_v3.txt).\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n### Pr\u00e9cisions sur les CVE-2021-45046 et CVE-2021-45105\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nLa version 2.15.0 recommand\u00e9e jusqu\u0027\u00e0 pr\u00e9sent est affect\u00e9e par une autre\nvuln\u00e9rabilit\u00e9, d\u00e9sign\u00e9e par l\u0027identifiant CVE-2021-45046 \\[4\\]. Cette\nvuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant non authentifi\u00e9 d\u0027effectuer un d\u00e9ni\nde service. Par ailleurs, des chercheurs ont mis en \u00e9vidence la\npossibilit\u00e9 d\u0027exfiltrer des donn\u00e9es dans certaines configurations non\nd\u00e9taill\u00e9es.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nPar ailleurs, les versions 2.16.0 et 2.12.2 sont affect\u00e9es par une\nnouvelle vuln\u00e9rabilit\u00e9, d\u00e9sign\u00e9e par l\u0027identifiant CVE-2021-45105 \\[5\\],\nqui permet de provoquer un d\u00e9ni de service \u00e0 distance.\n\n\u003c/div\u003e\n\n### Pr\u00e9cisions sur la CVE-2021-44832\n\nLa version 2.17.0 recommand\u00e9e jusqu\u0027\u00e0 pr\u00e9sent est affect\u00e9e par une\nvuln\u00e9rabilit\u00e9, d\u00e9sign\u00e9e par l\u0027identifiant CVE-2021-44832 \\[6\\]. Cette\nvuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant, autoris\u00e9 \u00e0 modifier le fichier de\nconfiguration Log4J, d\u0027effectuer une ex\u00e9cution de code \u00e0 distance. La\ncomplexit\u00e9 de l\u0027attaque \u00e9tant \u00e9lev\u00e9e, le CERT-FR continue de recommander\nla mise \u00e0 jour des composants Log4j \u00e0 la version 2.17.0 pour java 8 et\n2.12.3 pour java7. Par ailleurs, il est fortement recommand\u00e9 de rester\nattentif aux nouvelles vuln\u00e9rabilit\u00e9s Log4j qui pourraient \u00eatre\nidentifi\u00e9es \u00e0 l\u0027avenir ainsi qu\u0027aux correctifs propos\u00e9s par Apache.\n\n### Pr\u00e9cisions sur les modes d\u0027attaque\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nIl convient \u00e9galement de noter que des techniques permettent d\u0027exploiter\nla vuln\u00e9rabilit\u00e9 localement sans recourir \u00e0 un serveur tiers\nmalveillant. L\u0027attaquant peut injecter un code malveillant dans la\nrequ\u00eate initiale s\u0027il a suffisamment d\u0027informations sur l\u0027application\nvuln\u00e9rable qu\u0027il cible. Cette attaque requiert donc une premi\u00e8re phase\nde reconnaissance et de collecte de donn\u00e9es. Cette phase est possible\ntant que n\u0027ont pas \u00e9t\u00e9 appliqu\u00e9s : d\u0027une part, un filtrage r\u00e9seau\nad\u00e9quat et d\u0027autre part, le correctif ou, \u00e0 d\u00e9faut, les mesures de\ncontournement. Il est donc important de disposer des journaux de ces\nenvironnements pour rechercher des \u00e9ventuelles traces d\u0027exfiltration de\ndonn\u00e9es. Les moyens de d\u00e9tection pr\u00e9c\u00e9demment peuvent \u00eatre utilis\u00e9s \u00e0\ncette fin.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cspan style=\"color: #ff0000;\" darkreader-inline-color=\"\"\u003e\u003cstrong\u003e\u00a0\u003c/strong\u003e\u003c/span\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nPour rappel : une application utilisant une version non vuln\u00e9rable de\nlog4j peut transmettre des donn\u00e9es \u00e0 une autre application qui utilise\nune version vuln\u00e9rable de cette biblioth\u00e8que. L\u2019attaquant pourra\nexploiter la vuln\u00e9rabilit\u00e9 dans la seconde application en soumettant une\ndonn\u00e9e malveillante via la premi\u00e8re. Par cons\u00e9quent, le CERT-FR\nrecommande de ne pas limiter l\u0027identification de la vuln\u00e9rabilit\u00e9 aux\nseules applications expos\u00e9es sur Internet, mais \u00e9galement aux\napplications internes. L\u0027utilisation d\u0027outils tels que ceux list\u00e9s\nci-dessous facilitera leur identification.\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n", "title": "[MaJ] Vuln\u00e9rabilit\u00e9 dans Apache Log4j", "vendor_advisories": [] }
tid-326
Vulnerability from emb3d
Many object-oriented languages use serialization to convert class objects into byte strings for more efficient storage or transmission. However, if an untrusted byte string is deserialized without properly validating its contents, it could be used to exploit a vulnerability in the associated library. A threat actor could send a maliciously crafted serialized object to a device to exploit a deserialization vulnerability within a device.
- CWE-502: Deserialization of Untrusted Data (Base)
ghsa-fp5r-v3w9-4333
Vulnerability from github
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "log4j:log4j" }, "ranges": [ { "events": [ { "introduced": "1.2.0" }, { "last_affected": "1.2.17" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "2.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-4104" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-12-14T19:47:27Z", "nvd_published_at": "2021-12-14T12:15:00Z", "severity": "HIGH" }, "details": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GHSA-fp5r-v3w9-4333", "modified": "2023-10-26T15:04:19Z", "published": "2021-12-14T19:49:31Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "type": "WEB", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "type": "PACKAGE", "url": "https://github.com/apache/logging-log4j2" }, { "type": "WEB", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202209-02" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202310-16" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-02" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-04" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211223-0007" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data" }
cnvd-2022-01775
Vulnerability from cnvd
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://logging.apache.org/log4j/2.x/security.html
Name | Apache Log4j 1.2 |
---|
{ "cves": { "cve": { "cveNumber": "CVE-2021-4104", "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" } }, "description": "Apache Log4j\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u5f00\u6e90\u65e5\u5fd7\u8bb0\u5f55\u5de5\u5177\u3002\n\nApache Log4j 1.2\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7JMSApender\u53cd\u5e8f\u5217\u5316\u6765\u8fd0\u884c\u4ee3\u7801\u3002", "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://logging.apache.org/log4j/2.x/security.html", "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e", "number": "CNVD-2022-01775", "openTime": "2022-01-08", "patchDescription": "Apache Log4j\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u5f00\u6e90\u65e5\u5fd7\u8bb0\u5f55\u5de5\u5177\u3002\r\n\r\nApache Log4j 1.2\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7JMSApender\u53cd\u5e8f\u5217\u5316\u6765\u8fd0\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002", "patchName": "Apache Log4j\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01", "products": { "product": "Apache Log4j 1.2" }, "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "serverity": "\u4e2d", "submitTime": "2021-12-16", "title": "Apache Log4j\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e" }
fkie_cve-2021-4104
Vulnerability from fkie_nvd
URL | Tags | ||
---|---|---|---|
security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/18/3 | ||
security@apache.org | https://access.redhat.com/security/cve/CVE-2021-4104 | ||
security@apache.org | https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 | ||
security@apache.org | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033 | ||
security@apache.org | https://security.gentoo.org/glsa/202209-02 | ||
security@apache.org | https://security.gentoo.org/glsa/202310-16 | ||
security@apache.org | https://security.gentoo.org/glsa/202312-02 | ||
security@apache.org | https://security.gentoo.org/glsa/202312-04 | ||
security@apache.org | https://security.netapp.com/advisory/ntap-20211223-0007/ | ||
security@apache.org | https://www.cve.org/CVERecord?id=CVE-2021-44228 | ||
security@apache.org | https://www.kb.cert.org/vuls/id/930724 | ||
security@apache.org | https://www.oracle.com/security-alerts/cpuapr2022.html | ||
security@apache.org | https://www.oracle.com/security-alerts/cpujan2022.html | ||
security@apache.org | https://www.oracle.com/security-alerts/cpujul2022.html | ||
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/18/3 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2021-4104 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202209-02 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202310-16 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202312-02 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202312-04 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20211223-0007/ | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.cve.org/CVERecord?id=CVE-2021-44228 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/930724 | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuapr2022.html | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujan2022.html | ||
af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujul2022.html |
Vendor | Product | Version | |
---|---|---|---|
apache | log4j | 1.2 | |
fedoraproject | fedora | 35 | |
redhat | codeready_studio | 12.0 | |
redhat | integration_camel_k | - | |
redhat | integration_camel_quarkus | - | |
redhat | jboss_a-mq | 6.0.0 | |
redhat | jboss_a-mq | 7 | |
redhat | jboss_a-mq_streaming | - | |
redhat | jboss_data_grid | 7.0.0 | |
redhat | jboss_data_virtualization | 6.0.0 | |
redhat | jboss_enterprise_application_platform | 6.0.0 | |
redhat | jboss_enterprise_application_platform | 7.0 | |
redhat | jboss_fuse | 6.0.0 | |
redhat | jboss_fuse | 7.0.0 | |
redhat | jboss_fuse_service_works | 6.0 | |
redhat | jboss_operations_network | 3.0 | |
redhat | jboss_web_server | 3.0 | |
redhat | openshift_application_runtimes | - | |
redhat | openshift_container_platform | 4.6 | |
redhat | openshift_container_platform | 4.7 | |
redhat | openshift_container_platform | 4.8 | |
redhat | process_automation | 7.0 | |
redhat | single_sign-on | 7.0 | |
redhat | software_collections | - | |
redhat | enterprise_linux | 6.0 | |
redhat | enterprise_linux | 7.0 | |
redhat | enterprise_linux | 8.0 | |
oracle | advanced_supply_chain_planning | 12.1 | |
oracle | advanced_supply_chain_planning | 12.2 | |
oracle | business_intelligence | 5.9.0.0.0 | |
oracle | business_intelligence | 12.2.1.3.0 | |
oracle | business_intelligence | 12.2.1.4.0 | |
oracle | business_process_management_suite | 12.2.1.3.0 | |
oracle | business_process_management_suite | 12.2.1.4.0 | |
oracle | communications_eagle_ftp_table_base_retrieval | 4.5 | |
oracle | communications_messaging_server | 8.1 | |
oracle | communications_network_integrity | 7.3.6 | |
oracle | communications_offline_mediation_controller | * | |
oracle | communications_offline_mediation_controller | 12.0.0.5.0 | |
oracle | communications_unified_inventory_management | 7.3.4 | |
oracle | communications_unified_inventory_management | 7.3.5 | |
oracle | communications_unified_inventory_management | 7.4.1 | |
oracle | communications_unified_inventory_management | 7.4.2 | |
oracle | e-business_suite_cloud_manager_and_cloud_backup_module | 2.2.1.1.1 | |
oracle | enterprise_manager_base_platform | 13.4.0.0 | |
oracle | enterprise_manager_base_platform | 13.5.0.0 | |
oracle | financial_services_revenue_management_and_billing_analytics | 2.7.0.0 | |
oracle | financial_services_revenue_management_and_billing_analytics | 2.7.0.1 | |
oracle | financial_services_revenue_management_and_billing_analytics | 2.8.0.0 | |
oracle | fusion_middleware_common_libraries_and_tools | 12.2.1.4.0 | |
oracle | goldengate | - | |
oracle | healthcare_data_repository | 8.1.0 | |
oracle | hyperion_data_relationship_management | * | |
oracle | hyperion_infrastructure_technology | * | |
oracle | identity_management_suite | 12.2.1.3.0 | |
oracle | identity_management_suite | 12.2.1.4.0 | |
oracle | jdeveloper | 12.2.1.3.0 | |
oracle | mysql_enterprise_monitor | * | |
oracle | retail_allocation | 14.1.3.2 | |
oracle | retail_allocation | 15.0.3.1 | |
oracle | retail_allocation | 16.0.3 | |
oracle | retail_allocation | 19.0.1 | |
oracle | retail_extract_transform_and_load | 13.2.5 | |
oracle | stream_analytics | - | |
oracle | timesten_grid | - | |
oracle | tuxedo | 12.2.2.0.0 | |
oracle | utilities_testing_accelerator | 6.0.0.1.1 | |
oracle | utilities_testing_accelerator | 6.0.0.2.2 | |
oracle | utilities_testing_accelerator | 6.0.0.3.1 | |
oracle | weblogic_server | 12.2.1.3.0 | |
oracle | weblogic_server | 12.2.1.4.0 | |
oracle | weblogic_server | 14.1.1.0.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "2954BDA9-F03D-44AC-A9EA-3E89036EEFA8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BAF877F-B8D5-4313-AC5C-26BB82006B30", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C4404A-CFB7-4B47-9487-F998825C31CA", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*", "matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C7257E5-B4A7-4299-8FE1-A94121E47528", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3B78438D-1321-4BF4-AEB1-DAF60D589530", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C077D692-150C-4AE9-8C0B-7A3EA5EB1100", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "54EB07A0-FB38-4F17-9C8D-DB629967F07B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "14CF53D2-B585-4EA5-8F18-21BC9ECBB4B6", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "91B493F0-5542-49F7-AAAE-E6CA6E468D7B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*", "matchCriteriaId": "A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "0331158C-BBE0-42DB-8180-EB1FCD290567", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B602F9E8-1580-436C-A26D-6E6F8121A583", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "77C3DD16-1D81-40E1-B312-50FBD275507C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "81DAC8C0-D342-44B5-9432-6B88D389584F", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E869C417-C0E6-4FC3-B406-45598A1D1906", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "B21E6EEF-2AB7-4E96-B092-1F49D11B4175", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "28CDCE04-B074-4D7A-B6E4-48193458C9A0", "versionEndExcluding": "12.0.0.4.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5933FEA2-B79E-4EE7-B821-54D676B45734", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6ED0EE39-C080-4E75-AE0F-3859B57EF851", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E8758C8-87D3-450A-878B-86CE8C9FC140", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "054B56E0-F11B-4939-B7E1-E722C67A041A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "250A493C-E052-4978-ABBE-786DC8038448", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2E2B771B-230A-4811-94D7-065C2722E428", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F17531CB-DE8A-4ACD-93A0-6A5A8481D51B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*", "matchCriteriaId": "507E7AEE-C2FC-4EED-B0F7-5E41642C0BF7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "66C673C4-A825-46C0-816B-103E1C058D03", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8E7FBA9-0FFF-4C86-B151-28C17A142E0B", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", "matchCriteriaId": "55BBCD48-BCC6-4E19-A4CE-970E524B9FF4", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1489DDA7-EDBE-404C-B48D-F0B52B741708", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "535BC19C-21A1-48E3-8CC0-B276BA5D494E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "228DA523-4D6D-48C5-BDB0-DB1A60F23F8B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747", "versionEndIncluding": "8.0.29", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "51E83F05-B691-4450-BCA9-32209AEC4F6A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "288235F9-2F9E-469A-BE14-9089D0782875", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6672F9C1-DA04-47F1-B699-C171511ACE38", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "11E57939-A543-44F7-942A-88690E39EABA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "30501D23-5044-477A-8DC3-7610126AEFD7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B45A731-11D1-433B-B202-9C8D67C609F9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*", "matchCriteriaId": "900D9DBF-8071-4CE5-A67A-9E0C00D04B87", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "EB7D0A30-3986-49AB-B7F3-DAE0024504BA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C5B4C338-11E1-4235-9D5A-960B2711AC39", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "8C93F84E-9680-44EF-8656-D27440B51698", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." }, { "lang": "es", "value": "JMSAppender en Log4j versi\u00f3n 1.2 es vulnerable a una deserializaci\u00f3n de datos no confiables cuando el atacante presenta acceso de escritura a la configuraci\u00f3n de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecuci\u00f3n de c\u00f3digo remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema s\u00f3lo afecta a Log4j versi\u00f3n 1.2 cuando es configurado espec\u00edficamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versi\u00f3n 1.2 lleg\u00f3 al final de su vida \u00fatil en agosto de 2015. Los usuarios deber\u00edan actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores" } ], "id": "CVE-2021-4104", "lastModified": "2024-11-21T06:36:54.560", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-12-14T12:15:12.200", "references": [ { "source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "source": "security@apache.org", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "source": "security@apache.org", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "source": "security@apache.org", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202209-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202310-16" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-04" }, { "source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "source": "security@apache.org", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "source": "security@apache.org", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202209-02" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202310-16" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202312-02" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202312-04" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "security@apache.org", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
gsd-2021-4104
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2021-4104", "description": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GSD-2021-4104", "references": [ "https://www.suse.com/security/cve/CVE-2021-4104.html", "https://access.redhat.com/errata/RHSA-2022:0661", "https://access.redhat.com/errata/RHSA-2022:0553", "https://access.redhat.com/errata/RHSA-2022:0527", "https://access.redhat.com/errata/RHSA-2022:0524", "https://access.redhat.com/errata/RHSA-2022:0507", "https://access.redhat.com/errata/RHSA-2022:0497", "https://access.redhat.com/errata/RHSA-2022:0475", "https://access.redhat.com/errata/RHSA-2022:0450", "https://access.redhat.com/errata/RHSA-2022:0449", "https://access.redhat.com/errata/RHSA-2022:0448", "https://access.redhat.com/errata/RHSA-2022:0447", "https://access.redhat.com/errata/RHSA-2022:0446", "https://access.redhat.com/errata/RHSA-2022:0445", "https://access.redhat.com/errata/RHSA-2022:0444", "https://access.redhat.com/errata/RHSA-2022:0438", "https://access.redhat.com/errata/RHSA-2022:0437", "https://access.redhat.com/errata/RHSA-2022:0436", "https://access.redhat.com/errata/RHSA-2022:0435", "https://access.redhat.com/errata/RHSA-2022:0430", "https://access.redhat.com/errata/RHSA-2022:0294", "https://access.redhat.com/errata/RHSA-2022:0291", "https://access.redhat.com/errata/RHSA-2022:0290", "https://access.redhat.com/errata/RHSA-2022:0289", "https://access.redhat.com/errata/RHSA-2021:5269", "https://access.redhat.com/errata/RHSA-2021:5206", "https://access.redhat.com/errata/RHSA-2021:5186", "https://access.redhat.com/errata/RHSA-2021:5184", "https://access.redhat.com/errata/RHSA-2021:5183", "https://access.redhat.com/errata/RHSA-2021:5148", "https://access.redhat.com/errata/RHSA-2021:5141", "https://access.redhat.com/errata/RHSA-2021:5107", "https://ubuntu.com/security/CVE-2021-4104", "https://access.redhat.com/errata/RHSA-2022:1296", "https://access.redhat.com/errata/RHSA-2022:1297", "https://access.redhat.com/errata/RHSA-2022:1299", "https://alas.aws.amazon.com/cve/html/CVE-2021-4104.html", "https://linux.oracle.com/cve/CVE-2021-4104.html", "https://access.redhat.com/errata/RHSA-2022:5458", "https://access.redhat.com/errata/RHSA-2022:5459", "https://access.redhat.com/errata/RHSA-2022:5460" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-4104" ], "details": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GSD-2021-4104", "modified": "2023-12-13T01:23:11.557669Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-4104", "STATE": "PUBLIC", "TITLE": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j 1.x", "version": { "version_data": [ { "version_affected": "=", "version_name": "Apache Log4j 1.2", "version_value": "1.2.x" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ {} ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "refsource": "MISC", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "name": "https://access.redhat.com/security/cve/CVE-2021-4104", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "name": "https://security.netapp.com/advisory/ntap-20211223-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202312-04" } ] }, "source": { "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "[1.2,]", "affected_versions": "All versions starting from 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "", "package_slug": "maven/log4j/log4j", "pubdate": "2021-12-14", "solution": "Unfortunately, there is no solution available yet.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "6e19d375-181b-4524-9f73-93fb68cd0a8a" }, { "affected_range": "[1.2]", "affected_versions": "Version 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [ "2.17.0" ], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "All versions before 1.2, all versions after 1.2", "package_slug": "maven/org.apache.logging.log4j/log4j-core", "pubdate": "2021-12-14", "solution": "Upgrade to version 2.17.0 or above.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "5f488a4a-b189-41f4-b7b6-c6406ddb0703" }, { "affected_range": "[1.2]", "affected_versions": "Version 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "", "package_slug": "maven/org.apache.logging.log4j/log4j", "pubdate": "2021-12-14", "solution": "Unfortunately, there is no solution available yet.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "ad844f7c-aeec-4b0a-82bb-e69477840649" } ] }, "nvd.nist.gov": { "cve": { "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "2954BDA9-F03D-44AC-A9EA-3E89036EEFA8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BAF877F-B8D5-4313-AC5C-26BB82006B30", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C4404A-CFB7-4B47-9487-F998825C31CA", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*", "matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C7257E5-B4A7-4299-8FE1-A94121E47528", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3B78438D-1321-4BF4-AEB1-DAF60D589530", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C077D692-150C-4AE9-8C0B-7A3EA5EB1100", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "54EB07A0-FB38-4F17-9C8D-DB629967F07B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "14CF53D2-B585-4EA5-8F18-21BC9ECBB4B6", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "91B493F0-5542-49F7-AAAE-E6CA6E468D7B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*", "matchCriteriaId": "A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "0331158C-BBE0-42DB-8180-EB1FCD290567", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B602F9E8-1580-436C-A26D-6E6F8121A583", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "77C3DD16-1D81-40E1-B312-50FBD275507C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "81DAC8C0-D342-44B5-9432-6B88D389584F", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E869C417-C0E6-4FC3-B406-45598A1D1906", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "B21E6EEF-2AB7-4E96-B092-1F49D11B4175", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "28CDCE04-B074-4D7A-B6E4-48193458C9A0", "versionEndExcluding": "12.0.0.4.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5933FEA2-B79E-4EE7-B821-54D676B45734", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6ED0EE39-C080-4E75-AE0F-3859B57EF851", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E8758C8-87D3-450A-878B-86CE8C9FC140", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "054B56E0-F11B-4939-B7E1-E722C67A041A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "250A493C-E052-4978-ABBE-786DC8038448", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2E2B771B-230A-4811-94D7-065C2722E428", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F17531CB-DE8A-4ACD-93A0-6A5A8481D51B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*", "matchCriteriaId": "507E7AEE-C2FC-4EED-B0F7-5E41642C0BF7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "66C673C4-A825-46C0-816B-103E1C058D03", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8E7FBA9-0FFF-4C86-B151-28C17A142E0B", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", "matchCriteriaId": "55BBCD48-BCC6-4E19-A4CE-970E524B9FF4", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1489DDA7-EDBE-404C-B48D-F0B52B741708", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "535BC19C-21A1-48E3-8CC0-B276BA5D494E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "228DA523-4D6D-48C5-BDB0-DB1A60F23F8B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747", "versionEndIncluding": "8.0.29", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "51E83F05-B691-4450-BCA9-32209AEC4F6A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "288235F9-2F9E-469A-BE14-9089D0782875", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6672F9C1-DA04-47F1-B699-C171511ACE38", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "11E57939-A543-44F7-942A-88690E39EABA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "30501D23-5044-477A-8DC3-7610126AEFD7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B45A731-11D1-433B-B202-9C8D67C609F9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*", "matchCriteriaId": "900D9DBF-8071-4CE5-A67A-9E0C00D04B87", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "EB7D0A30-3986-49AB-B7F3-DAE0024504BA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C5B4C338-11E1-4235-9D5A-960B2711AC39", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "8C93F84E-9680-44EF-8656-D27440B51698", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." }, { "lang": "es", "value": "JMSAppender en Log4j versi\u00f3n 1.2 es vulnerable a una deserializaci\u00f3n de datos no confiables cuando el atacante presenta acceso de escritura a la configuraci\u00f3n de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecuci\u00f3n de c\u00f3digo remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema s\u00f3lo afecta a Log4j versi\u00f3n 1.2 cuando es configurado espec\u00edficamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versi\u00f3n 1.2 lleg\u00f3 al final de su vida \u00fatil en agosto de 2015. Los usuarios deber\u00edan actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores" } ], "id": "CVE-2021-4104", "lastModified": "2023-12-22T09:15:36.510", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-12-14T12:15:12.200", "references": [ { "source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "source": "security@apache.org", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "source": "security@apache.org", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "source": "security@apache.org", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202209-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202310-16" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-04" }, { "source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "source": "security@apache.org", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "source": "security@apache.org", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "nvd@nist.gov", "type": "Primary" }, { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "security@apache.org", "type": "Secondary" } ] } } } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.